systemd-resolved and nss_ldap

[lennart@xxxxxxxxxxxxxx (Lennart Poettering)]

On Mi, 04.07.18 14:05, Vlad (vovan at vovan.nl) wrote:

> Lennart,
> 
> Thanks for all the information amd explanation! Below is all the details:
> - systemd-239
> - systemd-resolve as well ass all systemd related users are defined in
> /etc/passwd
> - nss_ldap is configured via nss_initgroups_ignoreusers to not lookup
> groups fro all system related users include all systemd users

If you can configure nss-ldap to exclude certain UID ranges and user
names from lookups this can work too. But you'd have to tell it to
exclude the following user names and UIDs/GIDS:

1. systemd-network, systemd-resolve, systemd-timesync
2. all UIDs equal or below of `pkg-config systemd
   --variable=systemuidmax`, and similar GIDs
3. all UIDs >= `pkg-config systemd --variable=dynamicuidmin` and <=
   `pkg-config systemd --variable=dynamicuidmax` and similar GIDs.
   
In particular the the latter is what is missing here, as that's the
range DynamicUser=1 will allocate from, and if nss-ldap doesn't listen
to that you should be good.

> Do you think changing "DynamicUser" to "no" should solve the issue? I
> see that quite a few services (systemd-resolve, systemd-networkd,
> firewalld, etc.)Â  have "DynamicUser=yes".

Well, something needs to create the users. That can either be you,
with static adduser/useradd, or it can be systemd, by means of
DynamicUser=yes.  Note that DynamicUser=yes doesn't conflict with
registering the user in /etc/paswd. If there already is a matching
static user around, then DynamicUser=yes will simply use that, and not
bother allocating a dynamic one. This means you never need to fiddle
with DynamicUser= actually, it totally suffices to create the right
users statically with useradd/adduser.

Lennart

-- 
Lennart Poettering, Red Hat