Web lists-archives.com

UID mismatch across systems




I have a bunch of systems with varying users and groups and varying assignments of UIDs and GIDs to named users and groups.  I would like to get them on a common basis, and understand that using LDAP is one way to achieve this.

For simplicity I'm just going to talk about users; groups have the same set of issues.

The problem is that I can't convert to using a shared directory when different systems assign different uids to the same named user.  In other words, to get to the shared accounts solution I must already have solved the problem of mismatching ids.

What can I do about this?

The problems are mostly with system users, and I've seen some advice indicating such users don't normally go in LDAP.  So excluding would reduce the problem, for LDAP, but also leave lots of unsynchronized ids.

I could manually change the uid of files and use usermod to update the user definition itself.  But I worry about the effect of doing that on a running system with processes that I shouldn't shutdown (e.g., systemd, messagebus).  I'm also concerrned that some programs may have their UID compiled in as a security feature, so that they wont't work if it changes.  Obviously it would be better to update the  disk when the system isn't live, but some of the machines are VMs and I don't manage the host.  Even if mounting the virtual disks on another VM is technically possible, it wouldn't necessarily be administratively easy.  

Additionally, I'm not sure what sequence of updating the file system and doing usermod is appropriate.  I could update passwd by hand on a non-live file system, but I worry that usermod does other stuff I'd miss.  I notice that adding a user changes passwd, group, shadow, subuid and subgid.

Or I could just live with the mess, at least for system users.  The main problem it poses is that backups  (in particular I have a big mail spool owned by cyrus) and copy operations between systems may not work properly, now would moving disks between systems.  I'm not sure how much a problem it the mismatches are for NFSv4; I believe it allows user/kerberos based authentication, but I'm not sure what that means for the uids of the files.

Thanks for any advice.
Ross Boylan

P.S. I've modified adduser so that one can specify templates for uids and gids, so that if a package installation creates a user it will be created with the uid and gid given in the templates.  This helps going  forward, but not with the mess I already have.