Looking for best practice recommendations about how to handle system accounts in a predominantly linux-based IPA environment.
A common example: A particular machine in my network is running a service as a system account that is local to that machine. Let's say its unix name and group is 'mysysacc:mysysacc'. As it goes about it's business, that system account creates various files and directories with ownership mysysacc:mysysacc.
I want those directories and files to be accessible by other real users in my network. In life before IPA, I used to add those real users to the mysysacc group so that they can access the files via the group ownership.
But now that I rock an IPA, my real users are handled by the central IPA. Yet the central IPA is not aware of the local system account and group. Therefore, within the IPA, I can't associate my real users to the mysysacc group. Therefore, at the moment my real users can't access the files and directories until I either chmod to set the 'Others' bit to allow access to anyone, or I chown them to change their group to one that is managed by the IPA. That's a bit of a pain. Furthermore, when I interogate those directories and files from my other machines on the network using 'ls', they of course just see the uid and gid and not the actual names - which can be unhelpful.
I'm currently stuck trying to find a way of configuring the IPA server so that it is at least aware of the local system group and can add users to the group. Also, it would be great if all the machines in the network would be able to resolve the uid and gid of the local system account so that they can see the actual user and group names when doing an 'ls'. But perhaps I'm barking up the wrong tree. I'd be grateful for any pointers.
A common example: A particular machine in my network is running a service as a system account that is local to that machine. Let's say its unix name and group is 'mysysacc:mysysacc'. As it goes about it's business, that system account creates various files and directories with ownership mysysacc:mysysacc.
I want those directories and files to be accessible by other real users in my network. In life before IPA, I used to add those real users to the mysysacc group so that they can access the files via the group ownership.
But now that I rock an IPA, my real users are handled by the central IPA. Yet the central IPA is not aware of the local system account and group. Therefore, within the IPA, I can't associate my real users to the mysysacc group. Therefore, at the moment my real users can't access the files and directories until I either chmod to set the 'Others' bit to allow access to anyone, or I chown them to change their group to one that is managed by the IPA. That's a bit of a pain. Furthermore, when I interogate those directories and files from my other machines on the network using 'ls', they of course just see the uid and gid and not the actual names - which can be unhelpful.
I'm currently stuck trying to find a way of configuring the IPA server so that it is at least aware of the local system group and can add users to the group. Also, it would be great if all the machines in the network would be able to resolve the uid and gid of the local system account so that they can see the actual user and group names when doing an 'ls'. But perhaps I'm barking up the wrong tree. I'd be grateful for any pointers.