Re: Reducing reliance on "legacy" user-group store(s) like /etc/{passwd,group}

Tue, 27 May 2025 23:45:46 -0700 

On Аўт, 27 мая 2025, Lennart Poettering wrote:

On Di, 27.05.25 14:32, Neal Gompa (ngomp...@gmail.com) wrote:


The usage of the systemd user management suite has been discussed many
times over the past several years. Unfortunately, it has been designed
in such a way that it is impossible to square with central login
services (like AD/IPA/krb5 logins).


systemd-userdbd and systemd-homed are two distinct things. Do not mix
them up.

samba merged supprt for the former 3 months ago:

https://gitlab.com/samba-team/samba/-/merge_requests/2928


We currently do not plan to use that in real deployments, though. There
are few issues with userdb API implementation. For example, there is an
assumption only one responder knows the information about the account
being requested. In real deployments we have to do group membership
merges across multiple nss backends. userdb right now fails to provide a
complete group membership for FreeIPA users, for example. This is not
unique to FreeIPA, though, it would do the same for any non-static
backend in a default configuration.

abokovoy@emca:~$ egrep '^(passwd|group)' /etc/nsswitch.conf
passwd:     files sss systemd
group:      files [SUCCESS=merge] sss [SUCCESS=merge] systemd
abokovoy@emca:~$ id abokovoy
uid=1000(abokovoy) gid=1000(abokovoy)
groups=1000(abokovoy),1792600075(system-admins),1792600006(smime_users),1792600007(usb-access),
1792600073(gitrepo),964(plugdev),1792600000(admins),63(audio),1792600084(wheel),1792600077(admin),
1792600060(ca-kerberos-services-acl-users)
abokovoy@emca:~$ userdbctl groups-of-user abokovoy
No memberships.

I promised you to open a bug for systemd upstream and I've been meaning
to provide you an easy reproducer. Haven't done that yet, sorry.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to