On Thu, 2016-06-30 at 10:32 -0400, Danila Ladner wrote: > Hello folks. > What are the best practices on enrolling existing hosts in infrastructure > into FreeIPA > What do we do with local users which are present on the hosts and overlap > with users in FreeIPA, should we remove local users? What happens to the > files, directories owned by them? Is it usually a manual process?
It is usually a manual process as host by host you need to determine if the local user is actually the same user in the central system or another user by the same name. In latest FreeIPA we have ID Views, which allows you to remap posix attibutes (including name, uidnumber and gidumber) exactly for cases like this where pre-existing users may have incompatiblee nameing or numbering attributes/schemes. > I was thinking creating some salt states since we have around 800 hosts to > remove local accounts, just not sure how i can remap files and directories > to be owned by ipa users, IPA users have same usernames but apparently > different GIDs and UIDs. > Would be useful to hear some insights on what folks do in the > implementation process. In this case the admin would manually (or script) create a view for a (group of) machine(s) and load the overrides in the ID View, and then apply the ID View to the machine(s) Docs here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html Also here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html note that ID Views are not confined just to AD trust environments this second doc is just to have a wider view of the feature. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
