We have some users mapped to the same UID and GID as local accounts on systems and the account names match too. Don’t want to lose any customisation users may have in their profiles since they are developers but I don’t want the users to continue logging in with their local accounts. What is the best way to force the use of the FreeIPA accounts? What will happen if I comment out or remove the user entries from the passwd, shadow and group files?
User types a name. System needs info about the name. Where does it look from?
Perhaps from /etc/nsswitch.conf, that could have:
# In order of likelihood of use to accelerate lookup.
passwd: sss files systemd
shadow: files
group: sss files systemd
In this case the question goes to sssd first and to /etc/passwd only for names unknown to sssd.
I said “perhaps”, as the PAM config is somewhere mix too.
Anyway, the sssd config could be set to look from local files too, in order to cache file access.
You know better whether FreeIPA sets that up.
You said that for these accounts getent passwd $username and id $username do return same data from local files and from FreeIPA (and same password). User’s profile – config stored in files – is in home directory that is same for “both” accounts.
Even if you remove the entries from local “database”, you should still get the same data from FreeIPA. (You can re-create local accounts, if necessary.)
I have encountered one case, where things matter: system is in FreeIPA/whatever and that domain has account “apache”. When package “httpd” is later installed, it sees that account “apache” exists and is happy. Now boot. The httpd.service starts … and fails. Why? There is no account apache. Yet. The httpd.service happens to start before sssd.service and thus before the “domain account” is usable.
That should not be an issue for human users.
Just delete the local user, the freeipa user will then also become a local user, at least this is what will happen with winbind on Samba. The only proviso would be if the local user is also a system user, in which case it should never be in freeipa.
My nsswitch.conf file currently looks like this.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
automount: sss
Should this order change to the following to use FreeIPA authentication first?
passwd: sss systemd files
group: sss systemd files
shadow: sss files
gshadow: files
As long as the ID’s match in FreeIPA and on the file permissions/ownership, you should be able to remove the local account and sssd should pick up the account and treat it normally. As @hortimech suggested, it will become essentially the “local user” when you do this. You don’t have to modify nsswitch.conf to do it.
Well that will make the freeipa users be used before any local users, but as I said, you do not need the local users at all if they are in freeipa, sssd will make the freeipa users into local users. You also do not need the ‘sss’ on the shadow line, sssd does not read ‘shadow’. The sssd program is very heavily based on winbind (not surprising, they were both mostly written by the same person), so you really shouldn’t have the same user names in /etc/passwd and freeipa, even if they have the same IDs.
Thank you so much for the clarification everyone! I appreciate the help.
Best regards,
Greg