ID-Views are a new feature of FreeIPA4 which allows you to map UID/GID user/group names to another. This is a very handy solution when migrating legacy servers.
There are legacy servers in the field with a lot of history. They have been migrated from one operating system to another since the last decade(s). It is unfortunately also not uncommon on those legacy servers to find software with hardcoded UID/GID and/or user/group names. Along with an unknown number of scripts installed on such servers, its always problematic to migrate such systems when it comes to users and authentication. Another issue is that in the early years it was very common to have regular users with UID of >=500 while it is >=1000 as of today.
Unfortunately, almost nobody has the time to clean up the mess. Here is solution: ID-views. ID-Views can be applied to single hosts or group of hosts.
At the moment ID-Views are only working with newer SSSD versions as it is available with RHEL 7.1.
Creating a view
[root@ipa1 ~]# ipa idview-add --desc "Old servers with legacy users" oldservers -------------------------- Added ID View "oldservers" -------------------------- ID View Name: oldservers Description: Old servers with legacy users [root@ipa1 ~]#
Override a group
[root@ipa1 ~]# ipa idoverridegroup-add --desc "Old group" --gid=500 --group-name=users oldservers users ------------------------------- Added Group ID override "users" ------------------------------- Anchor to override: users Description: Old group Group name: users GID: 500 [root@ipa1 ~]#
Override a user
If you ommit the --login
parameter (or any other) then the value in question is not overridden. Ususally you just override the numeric UID and/or GID.
[root@ipa1 ~]# ipa idoverrideuser-add --desc="John Doe is actually Hans Tester" --login=jdoe --uid=500 --gidnumber=500 --homedir=/home/jdoe --shell=/bin/csh oldservers tester ------------------------------- Added User ID override "tester" ------------------------------- Anchor to override: tester Description: John Doe is actually Hans Tester User login: jdoe UID: 500 GID: 500 Home directory: /home/jdoe Login shell: /bin/csh [root@ipa1 ~]#
Apply the ID-View to a server
[root@ipa1 ~]# ipa idview-apply --hosts=legacy.example.com oldservers ---------------------------- Applied ID View "oldservers" ---------------------------- hosts: legacy.example.com --------------------------------------------- Number of hosts the ID View was applied to: 1 --------------------------------------------- [root@ipa1 ~]#
To enable the view on the client side, clean the SSSD cache and restart the sssd service. Login to legacy.example.com.
[root@legacy ~]# sss_cache -E [root@legacy ~]# systemctl restart sssd
You also need to change the PAM configuration to accept logins with UID <1000.
Now do some tests. Both users, “jdoe” and “tester” have UID 500.
[root@legacy ~]# getent passwd jdoe jdoe:*:500:500:Hans Tester:/home/jdoe:/bin/csh [root@legacy ~]# getent passwd tester jdoe:*:500:500:Hans Tester:/home/jdoe:/bin/csh [root@legacy ~]#
On other servers, the “jdoe” login is unknown, and “tester” has the normal UID assigned by IPA
[root@ipa1 ~]# getent passwd jdoe [root@ipa1 ~]# echo $? 2 [root@ipa1 ~]# getent passwd tester tester:*:1225800004:1225800004:Hans Tester:/home/tester:/bin/bash [root@ipa1 ~]#
Please keep in mind that not cleaning up a messy system is just a workaround 🙂