On Mo, 07.10.24 20:42, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > > You should be able to combine the three sources of users freely > > without problems – if you like. But these three sources of user > > definitions should be on similar footing, and not try to abstract each > > other. > > > > Hence: if you have some user in ldap/ipa, and another in homed, that's > > entirely fine, they should not affect each other. > > Supporting local encrypted user data with centralized authentication > methods is desired. Why implement this outside of systemd-homed > rather than within it? The former seems like a duplicated effort. Well, for starters, there's quite a philosophical gap between how I personally (and homed being my design, this kinda is built into the thing) think home dirs should be managed, and how the IPA/AD/SSSD worlds do it. For example, I am fundamentally opposed to the model these systems generally pursue of turning UID numbers into centrally, organization-wide managed concepts. I am pretty sure they should remain locally managed artifacts of a binding of a user record to the local system. One of the reason homed exists is to break with the concept of trying to manage UIDs organization-wise. And there's a lot more, for example it's fundamental to homed that access to home dirs is unavailable unless the user is logged in, and authentication keys for the data itself are provided. That breaks with fundamental assumptions baked into much UNIX software, which however is stuff the classic centralized enterprise world really cares about. So yes, from a distanced view you might think: both ipa and homed manage home dirs, so why not make that one. But conceptually, philosophically the two things are *so* different I really don't think one should attempt to make them one thing. Note that in systemd's infrastructure we have three components for managing users/sessions: 1. systemd-logind → manages logged in user sessions and related stuff 2. systemd-userdbd → manages JSON users/group records, going far beyond "struct passwd" and friends 3. systemd-homed → manages encrypted local home dirs These three things are separate on purpose. They integrate closely if used together, i.e. systemd-homed provides user records to systemd-userdbd, and systemd-logind reads them from systemd-userdbd, so that homed can set various things such as security and resource control settings that logind then enforces. But the interfaces between the three are open and documented, hence if sssd wants it can very well plug into systemd-userdbd the same way as systemd-homed does, and then take benefit of systemd-logind resource logic too. So far there's was literal interest in that though. But yeah, would be great if sssd/ipa world would integrate with systemd-logind/systemd-userdbd and all that stuff more tightly, but that should be on equal footing with systemd-homed, and not inside of systemd-homed or so. Lennart -- Lennart Poettering, Berlin -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue