Re: [389-users] UID Number Limitations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/24/11 23:25, Tom Tucker wrote:
>
> My environment has a mixture of Solaris 8-10 and RHEL 4-5. These clients
> are currently authenticating against a Sun One 5.X DS.
> I have migrated the Sun One DB to my lab 389 DS. Users with a three
> digit uidNumber are unable to login to Linux systems, however if they
> connect to a Solaris system it works fine.  If I add a fourth digit to
> their uidNumber they are able access Linux systems just fine.  Did I
> miss a setting somewhere?
>
> Thanks,
>
> Tom
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users

The problem is more likely to be a limitation imposed by the PAM 
configuration on the Linux systems.  Go look at /etc/pam.d/* and look 
for lines like:
     account     sufficient    pam_succeed_if.so uid < 500 quiet
A grep for 500 should find lots of examples.  The most likely conflict 
is in /etc/pam.d/system-auth.  Comment the line and try again.

Once upon a time UID numbers up through 99 were reserved for the OS, but 
somewhere along the line we ran out of numbers for such things as 
Apache, ssh, etc. which each needed their own number.  Someone then 
decided that disallowing logins on these numbers was a good thing. 
Unfortunately, a lot of places have extant UIDs < 500 (mine is 402).

You have two choices:
     1. Change the UIDs of the logins of these users and all their
        files on all the systems they use.
     2. Leave them alone and "fix" every Linux system.

The problem with the second choice is that you could have people with 
the same UID as system processes.  When they do an "ls -l" they may see 
that their files belong to "smolt" or "nagios" or similar.  Also, they 
would be able to edit files that perhaps should be off limits to them.

-- 
Gary Algier, WB2FWZ          gaa at ulticom.com         +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
     People don't read documentation voluntarily.
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux