ID mapping vs. POSIX attributes in AD

Latest response

Good Morning,

Chapter 2.5 page 19 of the Red Hat Enterprise Linux 7 Windows Integration Guide says that ID mapping has to be disabled in SSSD, so the POSIX attributes are used from AD rather than creating new settings locally.

Lets take a look at the following use case. An organization chose to integrate their Linux systems into AD like it is described in chapter 2.5 of the mentioned guide. After some time of evaluation this organization would like to change the way of the AD integration an use ID mapping as it is described in chapter 2.4. Lets assume the organization turns automatic-id-mapping on in the local SSSD configuration files of all Linux systems. What are the consequences of this change?

In my opinion, now I have a lot of POSIX attributes in AD which are not used anymore. That's ok, I could clean them out later. On all the Linux systems new UIDs/GIDs are created for the users from AD. There should be the same UID/GID for a certain user on every system. But all files and directories would belong to the old UID/GID which was specified as POSIX attribute in AD, right? So there would be a lot of chown to get things straight.

Lets assume the organization has set all file and directory ownership to the new automatically generated IDs. Are they finished with the job? Are there any other tasks they have to take care of?

Are there any other implications I didn't think of? If you know some it would be great if you share them. :-)

Best regards,
Joerg K.

Responses