Hi Jakub, Actually that is what i am doing. i am creating the user with same UID in IPA and then if i delete the user locally then i can authenticate via IPA. Is there anyway i can do this without deleting the user? This is just to use the same GID and avoid recreation of home/directories.
Many Thanks for your response! Regards, Deepak On Thu, Mar 2, 2017 at 8:40 PM, Jakub Hrozek <[email protected]> wrote: > On Thu, Mar 02, 2017 at 07:09:41PM +0530, deepak dimri wrote: > > Hi List, > > > > I have sudo and normal users accessing linux systems using their private > > key without IPA. I have IPA fully functioning and now i want to switch > the > > users from local file login to IPA. > > > > Any new user i create in IPA can SSH into ipa client jump boxes fine. I > > want to know how i can migrate existing local sudoers users to IPA. This > > is what i have done to achieve this: > > > > 1- Created a new user in IPA with the same name as i have in Jumpbox. > > 2 - Added the public key of that user in IPA. > > 3- Added the user to jumpbox_usergroup as my sshd.conf forces the users > of > > this group to authenticate against the pam/sssd > > > > Now when i try to ssh into jumpbox using as i was doing before i still > logs > > into the jumpbox via unix pam and not IPA. What should i be doing so > that > > the "existing" local unix users can login via IPA? > > But do you need to keep the local users around? Why not create the IPA > user with the same UID as the local user and remove the local user? > > Typically, if there is a user both in the local files and a remote > source, the system (as configured in nsswitch.conf) would first return > the local user and the PAM stack then only authenticates this user using > pam_unix.so > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
