Am Fri, May 07, 2021 at 04:11:33PM -0000 schrieb iulian roman via FreeIPA-users: > Yes, it is correct and this is exactly what I observed in the tests > (if ipa-ad-trust-posix is not mentioned, the uidNumber and gidNumber > are ignored) and the one within the range is generated. > The situation I have in AD is a "mix" of users without those > attributes and with. If I configure the trust as non-posix, all users > are detected but the uid and gid are ignored for those who have one in > AD, therefore they would not be able to access their home folders > (which has permissions based on AD uid and gid). > I do not know if that is possible (to have IPA using uid and gid > number when they are present in AD and generate a new one when not > present ) or is something which is considered a feature request, but I > thought it is worth asking .
Hi, it is not possible to have both automatically at the same time. You can either use the UIDs and GIDs managed in AD or let IPA autogenerated them. The main reason for this are the different administrative domains. If the UIDs and GIDs are managed in AD IPA expects that AD administrators will take care that the IDs make sense and that there are not collisions. If the IDs are autogenerated on the IPA side IPA takes care of this. If you mix both you might run into cases where a user or group is added to AD and somewhat later a UID or GID is assigned in AD. If the new object what picked up in between by IPA and got an ID assigned automatically you now have 2 IDs for the same object. However, to make migration from legacy domains more easy id-overrides where added to IPA. With this you can use autogenerated IDs for all users and groups from AD but add individual UIDs or GIDs to selected users and groups. With this all the ID management is inside the IPA domain and it is up to the IPA administrators to make sure the object which needed an id-override is not used before (or on the systems where is was already used the filesystem permissions are updated accordingly). HTH bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure