Re: strawman proposal: homed directories for users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mo, 07.10.24 20:42, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote:

> > You should be able to combine the three sources of users freely
> > without problems – if you like. But these three sources of user
> > definitions should be on similar footing, and not try to abstract each
> > other.
> >
> > Hence: if you have some user in ldap/ipa, and another in homed, that's
> > entirely fine, they should not affect each other.
>
> Supporting local encrypted user data with centralized authentication
> methods is desired. Why implement this outside of systemd-homed
> rather than within it? The former seems like a duplicated effort.

Well, for starters, there's quite a philosophical gap between how I
personally (and homed being my design, this kinda is built into the
thing) think home dirs should be managed, and how the IPA/AD/SSSD
worlds do it. For example, I am fundamentally opposed to the model
these systems generally pursue of turning UID numbers into centrally,
organization-wide managed concepts. I am pretty sure they should
remain locally managed artifacts of a binding of a user record to the
local system. One of the reason homed exists is to break with the
concept of trying to manage UIDs organization-wise. And there's a lot
more, for example it's fundamental to homed that access to home dirs
is unavailable unless the user is logged in, and authentication keys
for the data itself are provided. That breaks with fundamental
assumptions baked into much UNIX software, which however is stuff the
classic centralized enterprise world really cares about.

So yes, from a distanced view you might think: both ipa and homed
manage home dirs, so why not make that one. But conceptually,
philosophically the two things are *so* different I really don't think
one should attempt to make them one thing.

Note that in systemd's infrastructure we have three components for
managing users/sessions:

1. systemd-logind  → manages logged in user sessions and related stuff
2. systemd-userdbd → manages JSON users/group records, going far beyond "struct passwd" and friends
3. systemd-homed   → manages encrypted local home dirs

These three things are separate on purpose. They integrate closely if
used together, i.e. systemd-homed provides user records to
systemd-userdbd, and systemd-logind reads them from systemd-userdbd,
so that homed can set various things such as security and resource
control settings that logind then enforces. But the interfaces between
the three are open and documented, hence if sssd wants it can very
well plug into systemd-userdbd the same way as systemd-homed does, and
then take benefit of systemd-logind resource logic too.

So far there's was literal interest in that though.

But yeah, would be great if sssd/ipa world would integrate with
systemd-logind/systemd-userdbd and all that stuff more tightly, but
that should be on equal footing with systemd-homed, and not inside of
systemd-homed or so.

Lennart

--
Lennart Poettering, Berlin
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux