On Do, 06.12.18 19:42, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > >> Reading https://bugzilla.redhat.com/show_bug.cgi?id=1284325 there is can > >> happen some ID overlaps with FreeIPA/Samba which is undesirable. I would say > >> that this must be solves if this module is enabled by default. Was there any > >> progress in this area? > > > > I think that's a misunderstanding of what the module does. At the > > point the module announces those uid/gid ranges they are already > > reserved, hence the conflict is already there. nss-mymachines is hence > > only the messanger, not the culprit. > > I don't think we enforce that reservation system-wide. Do we filter out > those accounts when they come in over LDAP? Can users add them locally > using adduser? > > None of the NSS modules in glibc provide such filtering. The UID/GID allocation in systemd itself (for DynamicUser=1) and in systemd-nspawn (for --private-users=) both check NSS before they take a UID/GID. Hence, if LDAP users live in the same range we use it makes the space scarcer, but it shouldn't cause conflicts — as long as everything is properly registered in NSS. "adduser" registers from the range 1000…60000 on Fedora by default. DynamicUser=1 uses the range 61184…65519. systemd-nspawn uses 524288…1879048191. So these at least do not overlap. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
