steve@xxxxxxxxx (Steven Pritchard) writes: > My personal feeling (as a sysadmin and a packager) is that doing > something like this in %pre (not %post, if you want files owned by > the new user) is the Right Thing: > > %pre > if ! id foo > /dev/null 2>&1 ; then > /usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo > fi This does not solve the problem that users will have different UIDs on different machines. > And then just *don't touch the account* on removal. This rule is ok with me. > If for some reason useradd will not work, doing this in %pre should > make package installation fail, right? Then the sysadmin can go add > the user in LDAP/NIS/whatever and reinstall the package. IMO, managing service-accounts with LDAP/NIS is a bad idea. It is ideal for normal users but I do not want to rely on them for services. You will run into bootstrap issues (e.g. think of slapd which tries to resolve the 'ldap' user), configuration errors like outdated TLS certificates (which make LDAP lookups impossible) or added complexity for critical services (I saw enough problems with nss_ldap and nscd). Additionally, there is no way to see whether users are created by an rpm package or which parameters are used for these users. So it is not possible to create users on the LDAP server *before* the package is installed. Enrico
Attachment:
pgpOk5Ooo3Q7s.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
