Conflict between local and domain user - how to solve it?

[francisaugusto]

Hi,

I successfully joined my FreeNAS box to my FreeIPA. It works fine, though I wish FreeNAS would help on helping identifying directory users.
They don't show on the list of users, but do show when selecting users for permissions, etc, but there's nothing that shows them as directory users.

My problem was I have a directory user `francis` and I have a local user `francis`. I have two problems:

- Hard to know which user is which when selecting on a drop-down list
- I can't ssh to freenas using a directory user if there's a local user with the same name.

I tried everything there is out there to ssh the machine, like ssh francis@MY.DOMAIN@freenas.domain, and all its variants.

Any tips on how to solve this?

 

[jgreco]

- I can't ssh to freenas using a directory user if there's a local user with the same name.

I tried everything there is out there to ssh the machine, like ssh francis@MY.DOMAIN@freenas.domain, and all its variants.

Any tips on how to solve this?

Delete one of them, obviously.

UNIX does not have any support for "domains" of the Windows directory style, so when you have "francis@MY.DOMAIN", that username in UNIX is "francis."

Windows domains came into being because many years ago the idiots at Microsoft saw e-mail addresses and misunderstood what DNS domains were all about, tried to "make it Microsoft," failed, spectacularly, and created an ongoing problem, especially by reusing the existing terminology for something different. They've done the same thing repeatedly over the years with various technologies, everyone remembers Internet Explorer 6 as one of their more egregious examples, but there's Silverlight, Outlook, "dot.NET" (which they hilariously pulled out of someone's sphincter in a riff on "dot.COM" apparently without realizing that this was actually an Internet TLD). It isn't clear why they thought that tacking "@MY.DOMAIN" on as a component of a username was a good idea, but I wish nothing but misery upon the jerks who came up with it.

Anyways...

You need to use "ssh freenas.domain -l francis" to connect to your machine ("ssh francis@freenas.domain" is okay too, but makes what is going on less clear, and is internally translated inside SSH to "-l francis").

 

[francisaugusto]

Delete one of them, obviously.

UNIX does not have any support for "domains" of the Windows directory style, so when you have "francis@MY.DOMAIN", that username in UNIX is "francis."

This is half-true. I can login normally to my Ubuntu and Federa installs that joined the domain with ssh francis@my.domain@myhost. The system can differentiate `id francis` from `id francis@my.domain`.

Anyways...

You need to use "ssh freenas.domain -l francis" to connect to your machine ("ssh francis@freenas.domain" is okay too, but makes what is going on less clear, and is internally translated inside SSH to "-l francis").

Doesn't work. Tried many times:

ssh -l francis@mydomain myfreenashost
ssh francis@mydomain@myfreenashost

 

[jgreco]

This is half-true. I can login normally to my Ubuntu and Federa installs that joined the domain with ssh francis@my.domain@myhost. The system can differentiate `id francis` from `id francis@my.domain`.

Dunno.

Doesn't work. Tried many times:

ssh -l francis@mydomain myfreenashost
ssh francis@mydomain@myfreenashost

No, you have to do it without the "@mydomain". As I said, UNIX usernames do not have support for domains like that.

 

[francisaugusto]

Dunno.

No, you have to do it without the "@mydomain". As I said, UNIX usernames do not have support for domains like that.

When I do like you suggest, then the local user is the one being logged in, not the ldap.

 

[francisaugusto]

When I do like you suggest, then the local user is the one being logged in, not the ldap.

Sorry, I'm not being precise here. Your advice actually works. I can login with both passwords, from ldap and local, but the user that actually logs in is the local one. I can see that when I create a file or something like that, it's the local user attributes that are passed to the file.

 

[jgreco]

Sorry, I'm not being precise here. Your advice actually works. I can login with both passwords, from ldap and local, but the user that actually logs in is the local one. I can see that when I create a file or something like that, it's the local user attributes that are passed to the file.

Right. Because, now, I'm saying this for the third time, UNIX does not have a concept of a domain portion of a username. It doesn't exist.

Now, I'm basically speculating here as to what specifically is happening, because I don't have your setup, but I do have decades of systems engineering to go on.

I *suspect* that what you're seeing is that PAM will happily let you have both an LDAP and local user of the same name, because the administrator (that's you in this sketch) is supposed to configure things correctly. It's assumed that if you have the same username in two places, there's a good reason for that. If you enter "francis" and "mylocalpassword", PAM will find that in /etc/passwd and let you in. Likewise, when you enter "francis" and "myldappassword", PAM may find that via LDAP and let you in. But these are *the* *same* *user*, because the string "francis" == "francis".

So if you look at /etc/pam.d/sshd, you will probably find that there are entries for both "passwd" and "ldap". As PAM iterates through the specified methods, it will use the first one that matches. So both "francis" logins will work, one granted by "passwd", one granted by "ldap".

However, because the account is "francis", when the system does the inverse and looks up user information (see nsswitch.conf etc), I'm guessing you have something like "passwd: files ldap" in there, which means when the system looks for "francis", it will look first in /etc/passwd and then in LDAP. But since it finds it in /etc/passwd, and files is listed first, that is the match that is used.

Remember, there is no way for it to know that you meant "francis-in-LDAP" because it is looking for the string "francis".

So, again, you need to PICK ONE and DELETE THE OTHER.

This is actually all a bit more complicated behind the scenes, because there is some uid frippery going on too.