On Fr, 04.10.24 13:20, Neal Gompa (ngompa13@xxxxxxxxx) wrote: > On Fri, Oct 4, 2024 at 11:36 AM Zbigniew Jędrzejewski-Szmek > <zbyszek@xxxxxxxxx> wrote: > > > > On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote: > > > When this was first explored a few years ago, the main problem that > > > came up was that homed is functionally incompatible with centralized > > > login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed, > > > then it would make sense to revisit. > > > > homed is about self-contained definitions of users. So obviously > > those users cannot be defined centrally… I think it's compatible in > > the sense that both kinds of users can be used on the same machine. > > Is there some more specific problem? > > > > It's fairly normal these days that the users are self-contained and > otherwise local, *except* for login credentials. This use-case is > important to support because this is pretty much how business laptops > need to work. > > In the long past, the dichotomy was clearer: you either had local > users with local storage, or centrally managed users with remote > storage. But nowadays it's always local storage, just with either > local authentication or remote authentication. This also includes > being able to cache remote authentication records (e.g. SSSD) for > brief offline periods for logging in anyway. > > So from my point of view, homed *should not* be incompatible with this > use-case, even though it currently is. homed is something different than sssd stuff, it's just local user management, with some nice properties. It is not in the business of centralized, enterprise user management, and that's entirely fine. glibc NSS defines a somewhat OK'ish abstraction over homed and sssd so that most apps don#t really have to care where a user comes from, from the network (i.e. sssd) or from a locally managed thing (i.e. homed). Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue