LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL6 vs 7 UID range question
From:	Stephan Wiesand <[log in to unmask]>
Reply To:	Stephan Wiesand <[log in to unmask]>
Date:	Tue, 18 Aug 2015 19:45:15 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

Hi Alec,

On Aug 18, 2015, at 19:02 , Alec T. Habig wrote:

> Hi folks,
> 
> I want to add some new machines, running 7.1, into an ldap managed
> cluster consisting of 6.x machines.  7 wants system accounts numbered
> under 1000, 6 was happy with under 500.  Many users and countless files
> over a number of machines have uids between 500 and 1000: a global
> migration to the new scheme would be A Lot Of Work.  This fedora
> features proposal page:
> 
>  https://fedoraproject.org/wiki/Features/1000SystemAccounts
> 
> suggests dropping in a tweaked /etc/login.defs file in kickstart's %pre
> section for people in my situation.
> 
> Unfortunately, the filesystem doesn't exist yet in %pre, so that's too
> early to pull in a tweaked file.  In %post, all the system accounts are
> already made and many config files have pulled the UID min and max
> values from the default login.defs file already, so that's too late.

ah, the kids struck again. Reminds me of "let's change the output of 'uname -r' to allow a single user requesting it to share the /boot partition of his laptop between 32-/64-bit Fedora installations".

> Only way forward seems to be build my own shadow-utils rpm with the
> tweaked UID ranges, then build my own install image with this
> replacement rpm.  Given that the above URL, which was the official point
> of discussion when the feature was introduced, suggests something that's
> not actually possible - something which surely has bitten every other
> site moving from 6->7 - is this really the best way to do it?

This bit us much earlier... we actually remap system accounts clashing with ours during installation and change user/group ownership of affected files.

> I'm hoping that in my kickstart ignorance there's some intermediate
> stage between %pre and %post, where the official suggestion actually
> works!

How about an rpm triggering on "filesystem" and bringing that file into existence? Something like

%triggerin -- filesystem

install -m -0644 /usr/share/%{name}/login.defs.nokids /etc/login.defs

The problem is that you need to make sure this gets installed before any package creating a problematic account.

	Stephan

-- 
Stephan Wiesand
DESY -DV-
Platanenenallee 6
15738 Zeuthen, Germany

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV