Hello all,
The kerberos provider (Active Directory) in our environments uses all numeric username. If we configure SSSD to use Active Directory for the Auth Provider, then we will end up with the All-number Usernames on Linux.
What are our options?
Note: We are using the Oracle Directory Server as the Principal Database.
Thanks, Saqib
----
". If we configure SSSD to use Active Directory for the Auth Provider, then we will end up with the All-number Usernames on Linux." This is not true. It is completely fine if Unix username != Kerberos principal. O.
-----Original Message----- From: Ali, Saqib [mailto:docbook.xml@gmail.com] Sent: Wednesday, January 11, 2017 8:15 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] All numeric User ID in the Kerberos Provider
Hello all,
The kerberos provider (Active Directory) in our environments uses all numeric username. If we configure SSSD to use Active Directory for the Auth Provider, then we will end up with the All-number Usernames on Linux.
What are our options?
Note: We are using the Oracle Directory Server as the Principal Database.
Thanks, Saqib
---- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Wed, Jan 11, 2017 at 11:14:40AM -0800, Ali, Saqib wrote:
Hello all,
The kerberos provider (Active Directory) in our environments uses all numeric username. If we configure SSSD to use Active Directory for the Auth Provider, then we will end up with the All-number Usernames on Linux.
What are our options?
In general SSSD should be fine here but afaik we do not test this kind of setup.
However many system tools check if the input is numeric and assume that the input is a POSIX ID in this case. So as long as the number used for the numeric user name is not that same as the POSIX UID of the user I would strictly recommend against it (btw what about the group names?).
bye, Sumit
Note: We are using the Oracle Directory Server as the Principal Database.
Thanks, Saqib
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
I would strongly discourage the use of all numeric usernames. They will only cause you grief in the long term especially when uids and user names overlap. For example, to expand on Sumit's comment,
# id 12345 # getent passwd 12345
Is this the user 12345 or the uid 12345? I would encourage you to google for "unix username conventions" and you'll see what others recommend when it comes to user names. Once upon a time I found where someone posted what the OS is actually expecting but a quick google didn't surface it so I'll leave that as an exercise to the user :-).
=G=
________________________________________ From: Sumit Bose sbose@redhat.com Sent: Thursday, January 12, 2017 3:56 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: All numeric User ID in the Kerberos Provider
On Wed, Jan 11, 2017 at 11:14:40AM -0800, Ali, Saqib wrote:
Hello all,
The kerberos provider (Active Directory) in our environments uses all numeric username. If we configure SSSD to use Active Directory for the Auth Provider, then we will end up with the All-number Usernames on Linux.
What are our options?
In general SSSD should be fine here but afaik we do not test this kind of setup.
However many system tools check if the input is numeric and assume that the input is a POSIX ID in this case. So as long as the number used for the numeric user name is not that same as the POSIX UID of the user I would strictly recommend against it (btw what about the group names?).
bye, Sumit
Note: We are using the Oracle Directory Server as the Principal Database.
Thanks, Saqib
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org