|
Just based on a cursory evaluation, I would advise against doing what you are asking to do. Based on your description, it sounds as though you may be trying to add users with UID 0, while leaving the local root user in place in /etc/passwd. The system will default to looking up local files first, which should always look like: $ getent passwd 0 root:x:0:0:root:/root:/bin/bash Because a user’s account, such as “anderson” will be stored in the directory, and come second in the lookup (second place is the first to lose! However, if you did “id anderson” it should pull it up successfully because it’s going by account name. $ getent passwd anderson anderson:*:0:100:Anderson, Bob:/home/anderson:/bin/bash If you move forward, it’s important to understand that UID 0 (root) is responsible for booting the kernel, and running core system processes during init. In
my experience with the kernel, and app, the system (kernel) doesn’t use the account name, just the UID. In our scripts, programs, and commands, we (users) tend to use account display names, which are looked up to identify the UID to actually start/run the
process. So, basically, the account name is more for display purposes/user friendliness, and is generally looked up by searching for the UID of the account to identify the name to display for things like “ps”. This lookup appears to me (based on observation,
not science) to check /etc/passwd first, before looking to remote directories, and in the case where a UID is shared, it appears to select the first match. If you are talking about storing root in the directory, or if you are talking about having other users share the same UID as root, keep in mind that a system
that tries to look up “uid 0” will see root:x:0:0:root:/root:/bin/bash before it sees root:*:0:0:root:/root:/bin/bash, and
when looking up the UID it will see the A in “anderson:*:0:100::” before it sees the “r” in “root:*:0:0::”, and it will use whichever it finds first. So an app may end up looking like it’s running as “anderson” to the kernel, and changes made to the “anderson”
account may impact system services that were meant to be running as “root”. If you desire to remove the local “root” account to proceed, also please consider that without a locally defined root account, you would be completely dependent
upon the credential caching of your client system, which may or may not be available during init. I’m not even sure the cache would store credentials for root by default, but even if it did, if that cache ever became corrupted, you’d be unable to boot without
the account being locally defined. That’s a pretty heavy dependency to add in to the system from an systems management perspective. If you have users that desire root privileges, and are trying to use UID 0 to accomplish this ; I would recommend using sudo, or finding some sort of privilege
management utility to control access to the root account, rather than attempting to override the users ID with the root uid (0). If you have other users masquerading as the root account (uid 0) and their profiles change, it is possible you may still crash
apps if that user changes their account details. In the event that you want to actually authenticate the root account against the directory, and you are able to configure this in such a way that you could
successfully boot the OS, you would have your most critical account being centrally managed. If anyone changes the home directory, or messes with the default shell, you will potentially crash applications, and may leave your system un-bootable. This might
be annoying if you have a dozen or so systems, but if you have hundreds or thousands it would be a pretty big disaster. If whatever it is you are attempting to accomplish somehow compels you forward on this effort despite this wall of text I’ve sent you, then I would like to
hear from you how it turns out. We have an InfoSec policy here mandating that all accounts must be centrally managed, so I have had to get these core system accounts exempted, if you find a way to overcome all of the things I’ve said, I’d like to learn from
you. From: Edward Capriolo [mailto:edlinuxguru@xxxxxxxxx]
One thing to be very careful of. I once added a non root user 'edadmin' to be uid 0. This created total havoc on nscachd and a bunch of other tools. I am not sure if this is what you are running into but wanted to mention it. On Mon, Mar 21, 2016 at 2:07 AM, Dhiraj Deshpande <dhiraj26683@xxxxxxxxx> wrote: Hello Guys, I want to add an user with UID 0. When i add any user with UID 0, it won't reflects on client side. It shows no user found. But if i change the same user's UID to non-zero, it reflects on client side. Some how it is not taking a root account. Anybody faced the same?
|
-- 389 users mailing list 389-users@%(host_name)s http://lists-dev.fedorainfracloud.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
