Re: [Freeipa-users] Creating arbitrary users?
On Tue, 2015-04-07 at 22:01 -0400, Coy Hile wrote: > > On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > > > On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: > >> Quoting Simo Sorce : > >> > > > > > I guess that makes sense. Is it possible to add a user that simply > doesn't have the posix attributes defined? In the particular case of > */admin, I would expect that user to login to the ipa ui or to be > kinit'd to prior to running ipa administrative commands, but I should > hope that it should never login directly. > > Does that question make more sense? > >>> > >>> It does, but we do not have such a feature, sorry. > >>> > >>> Simo. > >>> > >> > >> Could one hypothetically remove the posix attributes (via some scripted > >> process that validates that what it's doing is inline with organizational > >> norms/goals) without breaking freeIPA, or are the posix attributes MUST in > >> the IPA object classes? I'm sorry for so many endless questions, but > >> having > >> finally got my personal setup/lab using something other than Active > >> Directory, > >> I'm looking to migrate to something that is easier to manage, so I'm > >> trying to > >> draw comparisons between what I had been used to in previous vanilla > >> krb/ldap > >> shops. > > > > Removing attributes will probably not work well, but let me ask: > > Do you require different passwords for these principals ? > > Or do you merely want to have the alternative names but would be ok if > > the credentials were identical ? > > > > Because you could (manually for now) add aliases so that hile@ > > hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical > > name but you can use aliases too (just make sure not to request > > canonicalization at kinit time. > > > > My intent was that they have different passwords (and perhaps > differing password policies.) For example, a /admin principal might > enforce password expiry with a shorter lifespan than a normal > principal, or might have a shorter maximum ticket lifetime before > kinit -R is necessary. It’s merely convenient that these other > instances not necessarily be posix accounts to enforce there’s no > possible way that, for example, someone logs in and is running a full > GNOME session as an admin. But I can live with them being posix > accounts since it’s baked in. > > We’ve all heard the horror stories of the Microsoft shops where some > genius decided to login to his workstation with his juser_domainadmin > account, or worse Administrator…. > You can use HBAC to prevent these users from logging in via gdm/ssh/login etc... Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
> On Apr 7, 2015, at 2:58 PM, Simo Sorce wrote: > > On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: >> Quoting Simo Sorce : >> > > I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly. Does that question make more sense? >>> >>> It does, but we do not have such a feature, sorry. >>> >>> Simo. >>> >> >> Could one hypothetically remove the posix attributes (via some scripted >> process that validates that what it's doing is inline with organizational >> norms/goals) without breaking freeIPA, or are the posix attributes MUST in >> the IPA object classes? I'm sorry for so many endless questions, but having >> finally got my personal setup/lab using something other than Active >> Directory, >> I'm looking to migrate to something that is easier to manage, so I'm trying >> to >> draw comparisons between what I had been used to in previous vanilla krb/ldap >> shops. > > Removing attributes will probably not work well, but let me ask: > Do you require different passwords for these principals ? > Or do you merely want to have the alternative names but would be ok if > the credentials were identical ? > > Because you could (manually for now) add aliases so that hile@ > hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical > name but you can use aliases too (just make sure not to request > canonicalization at kinit time. > My intent was that they have different passwords (and perhaps differing password policies.) For example, a /admin principal might enforce password expiry with a shorter lifespan than a normal principal, or might have a shorter maximum ticket lifetime before kinit -R is necessary. It’s merely convenient that these other instances not necessarily be posix accounts to enforce there’s no possible way that, for example, someone logs in and is running a full GNOME session as an admin. But I can live with them being posix accounts since it’s baked in. We’ve all heard the horror stories of the Microsoft shops where some genius decided to login to his workstation with his juser_domainadmin account, or worse Administrator…. -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
On 04/07/2015 10:22 AM, Simo Sorce wrote: On Tue, 2015-04-07 at 14:16 +, coy.h...@coyhile.com wrote: Quoting Simo Sorce On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administratively one knows are the same set of eyeballs). For example, I might have my normal user (hile), and I might have another distinct MIT principal hile/admin used when I’m doing administrative work in the kerb database, or potentially yet another hile/vpn for remote access. Only the first of these is a ‘real’ user that needs to have a uid, gid, home directory, and shell; the others are just Kerberos principals that might have differing password policies applied to them. In FreeIPA, it appears all kerberos principals are tied to a user (or to a host in the case of host/ or another service definition). Is it possible to define a non-posix user? There is no good reason for hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never login directly using that principal. Early on when we created FreeIPA we decided against providing alternative principals for the same user as it made things a lot more complex for little gain. To this day we still do not support them. Keep in mind that adding a principal is not the whole story, once you do that then you probably still want to associate it to some user, and assign privileges and allow alternative principal names to ssh into some machines, which means distributing k5login files or providing explicit support in the new aname2lname plugin. To do all this means adding new objects and configuration facilities to handle these special non-users, we haven't yet found enough benefit in adding support for these to warrant the work involved. Simo. -- Simo Sorce * Red Hat, Inc * New York I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly. Does that question make more sense? It does, but we do not have such a feature, sorry. Simo. Would setting shell to NULL help? What do you want to prevent? SSH logins? You can have host based access control rules for that. May be a better explanation of why you need this user to not have posix would be beneficial. You can have posix users and still prevent them from logging where they should not be able to log in. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
On Tue, 2015-04-07 at 18:54 +, Coy Hile wrote: > Quoting Simo Sorce : > > >> > > >> > > >> I guess that makes sense. Is it possible to add a user that simply > >> doesn't have the posix attributes defined? In the particular case of > >> */admin, I would expect that user to login to the ipa ui or to be > >> kinit'd to prior to running ipa administrative commands, but I should > >> hope that it should never login directly. > >> > >> Does that question make more sense? > > > > It does, but we do not have such a feature, sorry. > > > > Simo. > > > > Could one hypothetically remove the posix attributes (via some scripted > process that validates that what it's doing is inline with organizational > norms/goals) without breaking freeIPA, or are the posix attributes MUST in > the IPA object classes? I'm sorry for so many endless questions, but having > finally got my personal setup/lab using something other than Active Directory, > I'm looking to migrate to something that is easier to manage, so I'm trying to > draw comparisons between what I had been used to in previous vanilla krb/ldap > shops. Removing attributes will probably not work well, but let me ask: Do you require different passwords for these principals ? Or do you merely want to have the alternative names but would be ok if the credentials were identical ? Because you could (manually for now) add aliases so that hile@ hile/admin@ hile/foo@ are the same thing, where hile@ is the canonical name but you can use aliases too (just make sure not to request canonicalization at kinit time. Simo. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
Quoting Simo Sorce : > > I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly. Does that question make more sense? It does, but we do not have such a feature, sorry. Simo. Could one hypothetically remove the posix attributes (via some scripted process that validates that what it's doing is inline with organizational norms/goals) without breaking freeIPA, or are the posix attributes MUST in the IPA object classes? I'm sorry for so many endless questions, but having finally got my personal setup/lab using something other than Active Directory, I'm looking to migrate to something that is easier to manage, so I'm trying to draw comparisons between what I had been used to in previous vanilla krb/ldap shops. Thanks, -c -- Coy Hile coy.h...@coyhile.com -- Coy Hile coy.h...@coyhile.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
On Tue, 2015-04-07 at 14:16 +, coy.h...@coyhile.com wrote: > Quoting Simo Sorce > > > On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > >> In MIT land, one can potentially have multiple instances tied (by > >> convention) to a given user (that is, that administratively one knows > >> are the same set of eyeballs). For example, I might have my normal > >> user (hile), and I might have another distinct MIT principal > >> hile/admin used when I’m doing administrative work in the kerb > >> database, or potentially yet another hile/vpn for remote access. Only > >> the first of these is a ‘real’ user that needs to have a uid, gid, > >> home directory, and shell; the others are just Kerberos principals > >> that might have differing password policies applied to them. In > >> FreeIPA, it appears all kerberos principals are tied to a user (or to > >> a host in the case of host/ or another service definition). Is it > >> possible to define a non-posix user? There is no good reason for > >> hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never > >> login directly using that principal. > > > > Early on when we created FreeIPA we decided against providing > > alternative principals for the same user as it made things a lot more > > complex for little gain. To this day we still do not support them. > > > > Keep in mind that adding a principal is not the whole story, once you do > > that then you probably still want to associate it to some user, and > > assign privileges and allow alternative principal names to ssh into some > > machines, which means distributing k5login files or providing explicit > > support in the new aname2lname plugin. > > > > To do all this means adding new objects and configuration facilities to > > handle these special non-users, we haven't yet found enough benefit in > > adding support for these to warrant the work involved. > > > > Simo. > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > I guess that makes sense. Is it possible to add a user that simply > doesn't have the posix attributes defined? In the particular case of > */admin, I would expect that user to login to the ipa ui or to be > kinit'd to prior to running ipa administrative commands, but I should > hope that it should never login directly. > > Does that question make more sense? It does, but we do not have such a feature, sorry. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
Quoting Simo Sorce On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: In MIT land, one can potentially have multiple instances tied (by convention) to a given user (that is, that administratively one knows are the same set of eyeballs). For example, I might have my normal user (hile), and I might have another distinct MIT principal hile/admin used when I’m doing administrative work in the kerb database, or potentially yet another hile/vpn for remote access. Only the first of these is a ‘real’ user that needs to have a uid, gid, home directory, and shell; the others are just Kerberos principals that might have differing password policies applied to them. In FreeIPA, it appears all kerberos principals are tied to a user (or to a host in the case of host/ or another service definition). Is it possible to define a non-posix user? There is no good reason for hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never login directly using that principal. Early on when we created FreeIPA we decided against providing alternative principals for the same user as it made things a lot more complex for little gain. To this day we still do not support them. Keep in mind that adding a principal is not the whole story, once you do that then you probably still want to associate it to some user, and assign privileges and allow alternative principal names to ssh into some machines, which means distributing k5login files or providing explicit support in the new aname2lname plugin. To do all this means adding new objects and configuration facilities to handle these special non-users, we haven't yet found enough benefit in adding support for these to warrant the work involved. Simo. -- Simo Sorce * Red Hat, Inc * New York I guess that makes sense. Is it possible to add a user that simply doesn't have the posix attributes defined? In the particular case of */admin, I would expect that user to login to the ipa ui or to be kinit'd to prior to running ipa administrative commands, but I should hope that it should never login directly. Does that question make more sense? Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone Original message From: Simo Sorce Date:04/07/2015 08:52 (GMT-05:00) To: coy.h...@coyhile.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating arbitrary users? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating arbitrary users?
On Mon, 2015-04-06 at 21:16 -0400, Coy Hile wrote: > In MIT land, one can potentially have multiple instances tied (by > convention) to a given user (that is, that administratively one knows > are the same set of eyeballs). For example, I might have my normal > user (hile), and I might have another distinct MIT principal > hile/admin used when I’m doing administrative work in the kerb > database, or potentially yet another hile/vpn for remote access. Only > the first of these is a ‘real’ user that needs to have a uid, gid, > home directory, and shell; the others are just Kerberos principals > that might have differing password policies applied to them. In > FreeIPA, it appears all kerberos principals are tied to a user (or to > a host in the case of host/ or another service definition). Is it > possible to define a non-posix user? There is no good reason for > hile/admin@MY.REALM to have a uidNumber or gidNumber; one should never > login directly using that principal. Early on when we created FreeIPA we decided against providing alternative principals for the same user as it made things a lot more complex for little gain. To this day we still do not support them. Keep in mind that adding a principal is not the whole story, once you do that then you probably still want to associate it to some user, and assign privileges and allow alternative principal names to ssh into some machines, which means distributing k5login files or providing explicit support in the new aname2lname plugin. To do all this means adding new objects and configuration facilities to handle these special non-users, we haven't yet found enough benefit in adding support for these to warrant the work involved. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
