Hi Alec,
On Aug 18, 2015, at 19:02 , Alec T. Habig wrote:
> Hi folks,
>
> I want to add some new machines, running 7.1, into an ldap managed
> cluster consisting of 6.x machines. 7 wants system accounts numbered
> under 1000, 6 was happy with under 500. Many users and countless files
> over a number of machines have uids between 500 and 1000: a global
> migration to the new scheme would be A Lot Of Work. This fedora
> features proposal page:
>
> https://fedoraproject.org/wiki/Features/1000SystemAccounts
>
> suggests dropping in a tweaked /etc/login.defs file in kickstart's %pre
> section for people in my situation.
>
> Unfortunately, the filesystem doesn't exist yet in %pre, so that's too
> early to pull in a tweaked file. In %post, all the system accounts are
> already made and many config files have pulled the UID min and max
> values from the default login.defs file already, so that's too late.
ah, the kids struck again. Reminds me of "let's change the output of 'uname -r' to allow a single user requesting it to share the /boot partition of his laptop between 32-/64-bit Fedora installations".
> Only way forward seems to be build my own shadow-utils rpm with the
> tweaked UID ranges, then build my own install image with this
> replacement rpm. Given that the above URL, which was the official point
> of discussion when the feature was introduced, suggests something that's
> not actually possible - something which surely has bitten every other
> site moving from 6->7 - is this really the best way to do it?
This bit us much earlier... we actually remap system accounts clashing with ours during installation and change user/group ownership of affected files.
> I'm hoping that in my kickstart ignorance there's some intermediate
> stage between %pre and %post, where the official suggestion actually
> works!
How about an rpm triggering on "filesystem" and bringing that file into existence? Something like
%triggerin -- filesystem
install -m -0644 /usr/share/%{name}/login.defs.nokids /etc/login.defs
The problem is that you need to make sure this gets installed before any package creating a problematic account.
Stephan
--
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany
|