2

We have several Linux machine (running various versions of Fedora and CentOS, but that should not be relevant) with local users. Most of those local users are the same login name but might have different UID/GID based on when and by whom they were created. We want to sanitise this state of affair and settled on FreeIPA

How can I map the already existing local Linux users to the FreeIPA user?

Just to be extra clear: Given I have a local user called abc on machine ook and a FreeIPA user called abc, and ook is set up as a FreeIPA host with access for ook, when I ssh into ook as abc (via ssh abc@ook) then I am prompted for the password from FreeIPA. Better yet since I defined a public key for user abc I should log in without a password provided that I am authenticated and authorised on ook. The ~abc is whatever was present in the local account (before FreeIPA was introduced) and not another account with the same login name but different UID/GID.

Is this possible?

Clearly, this is related to https://serverfault.com/q/754922/132934.

Community
  • 1
Sardathrion - against SE abuse
  • 131
  • 6

1 Answers1

3

I don't think there is any magic here: at some time you will have to ensure UID/GID uniqueness and alignment across all servers then including in LDAP. In case alignment is not achieved then you amy have unexpected permissions. How to achieve this?

  • collecting all UID/GID from all /etc/passwd and /etc/group
  • mesure difference and conflicts if any (including comparison with existing UID/GID in LDAP)
  • define target UID/GID for accounts that are not aligned
  • usermod / grpmode to change UID and GID
  • chmod and chown when needed

Once aligned everywhere, as servers are configured to rely on LDAP (PAM and NSS), local accounts and groups are no more required and should be removed, IMHO.

Christian
  • 31
  • 2