Sorry; I should have been more explicit in my initial post. I'm basically only concerned with authentication on the client server and minimizing any outage related to that. The system is running services, but they are independent of IPA other than that they're running as users that are defined in IPA. I don't think that the lack of a username/uid mapping will cause a problem for a running process, since the process will already be associated with that uid even if no username exists for it, and the same is true of files, but I am a little concerned about group membership. If a process is accessing files that it has access to via group membership, and it's not the process's current gid, I would have thought that it would lose access to those files. But a little poking around suggests that's not true. (Supplementary groups are in the process descriptor? I didn't realize that.)
Maybe this isn't as big a concern as I thought. Regardless, I guess what I was looking for was basically a way for the IPA membership to be atomically replaced without a gap in name-to-id lookup. I feel like from the client point of view, this would be like joining a new IPA environment, which feels like a thing that could exist. If not, maybe sssd could cache the auth through the gap? Or is it safer to assume that there will be a gap in auth and take the hit of bringing those systems out of active service? -- William Faulk -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
