[Freeipa-users] user account without password
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Fri Apr 10 15:27:22 UTC 2015
> Also, if such account will also exist locally (my case), it will not be controlled
> by HBAC rules - it can be a some kind of security trap...
Pretty sure accounts should be either local or domain-wide, but not both. Could lead to strange and unforeseen side effects. Last I checked, only local accounts can run services. It may be advantageous to allow local accounts (which can run services) to have a representation in the domain, but the local accounts need to be scoped to the local machine (e.g., "apache" on server 1 is different than "apache" on server 2). At least that way, they could belong to the same groups domain accounts belong to. SSO certainly shouldn't work. Any access to shared storage should distinguish between same-named accounts on different machines.
Alternatively, allowing domain accounts to run certain services also has some merit. (assuming the user has permissions to do so.)
Just thinking into email.
Bryce
More information about the Freeipa-users
mailing list