Re: Change UId range, renumber user ids

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On 2/3/21 6:18 PM, Friedrich Schäuffelhut wrote:
> 
> If I understand correctly moving your IPA range may be problematic
> since you are actively using the uids.

Moving user ids is not a concern. We are in a transition phase where
most users still have a local account and use local uids. We are planning
to roll out an os update for our desktops soon and with that we are goint to
switch to sssd/LDAP based users.

> Do you have substantial podman usage?
> If not, move the podman ranges away. They are automatically allocated
> according to SUB_UID_MIN et al. (man adduser): change those vars
> and reassign ranges for the existing users.

We considered this. We want to avoid future accidental clashes.
Now it would still be possible to fix it.

> Personally, I find the 100000+uid*65536 default rule terrible since
> it gives you unreadable final numbers.

I see it the same way.

> My rule is to rebuild everything from scratch after adding a new user
> with:
> 
> while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo
> "$a:$[100000*c]:65536";done </etc/passwd >/etc/subuid
> while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo
> "$a:$[100000*c]:65536";done </etc/group >/etc/subgid
> 
> which gives me 400015 for subuser 15 of user 4.
> (note that root=0 is problematic and I collapse it into bin=1,
> both starting at 100000)

We did discuss these options internally.

We understand the administrative tasks that must happen on client systems,
when changing UIDs in FreeIPA e.g. fixing file owner ships (not a problem for us).

We also use configuration management for setting up subuid/subguid files.

We really want to get rid of that UID overlap between our FreeIPA install and
subuid/subguid to avoid future confusion/accidents and unexpected behavior.

What we really would like to understand is, if it is possible to move
the UID/GUID range in FreeIPA and how to do it.


Regards
Friedrich Schäuffelhut
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux