On Mon, Jun 03, 2013 at 03:32:05PM +0200, Sumit Bose wrote: > On Tue, May 28, 2013 at 02:50:59PM +0300, Alexander Bokovoy wrote: > > Hi, > > > > > > http://www.freeipa.org/page/V3/Serving_legacy_clients_for_trusts > > > > > > === CLI === > > > > The feature is not directly exposed in CLI. > > > > IPA idrange management is expanded to specify idrange type (IPA local, > > AD trust, AD with winsync, IPA trust, ..) to affect the way how AD users > > SIDs are mapped to POSIX IDs. > > > > Hi, > > currently with algorithmic mapping we use user-private groups for all > trusted user. This is in agreement with the defaults for IPA users and > also matches with AD's RID handling because a single namespace for UIDs > and GIDs is forced this way. > > When adding support for UIDs and GIDs stored in AD we cannot do this > anymore because AD (correctly) treats POSIX UIDs and GIDs as separate > name spaces. As a consequence SSSD has to treat algorithmic mapping and > IDs-in-AD mapping differently with respect to user private groups. > > My question is, shall SSSD implicitly do the right thing based on the > type of the idrange, or shall there be an extra attribute in the idrange > object which explicitly says if the range has user private groups or > not? > > I think it is not needed because for both current mappings there is only > one choice but maybe someone can think of a reason for such an > attribute.
We discussed this a bit and came to the following agreement: - no extra attribute is needed - for all idranges type where IPA is assigning the ID user-private groups will be used (local IPA users, algorithmic mappings) - for all idranges where the IDs are managed by external sources we use what we get bye, Sumit > > bye, > Sumit > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel