Can sssd allocate uid/gid out of a pool unique to each domain? The mapping need not be complex: “last_allocated+1” should suffice.
I’m motivated to ask the following question because I “supplement” our official active directory with accounts for external partners/collaborators. Numeric uid/gid fields could well collide because there’s no coordination, nor is there
likely to be. In the long term, we’d like to fix that, and we’d like to convince our powers-that-be that joining one or more larger “identity federations” is in their best interest. But that puts us right back where we started, as uid/gids across several large,
mostly disconnected organizations are not going to be coordinated.
So: What reasons still exist to insist on coordination? Are we ready to make the leap to coordinating the set of text-based-principals which are valid within a domain?
File sharing via NFS with “sec=sys” is just about the only obstruction I can think of. Otherwise, uid/gids are local to each machine, and it is sufficient to allow each machine to perform its own unique mapping from “valid username” to
uid.
So if I either prohibit NFS entirely or insist on “sec=krb5”, could I have a gaggle of linux boxes which individually allocate uids and gids as they encounter valid Kerberos credentials?
Sorry for wandering into the abstract there…this seemed an appropriate venue for determining whether such a scheme was viable.
Bryce