Re: UID mismatch across systems
- Date: Sun, 26 Mar 2017 23:27:35 +0200
- From: deloptes <deloptes@xxxxxxxxx>
- Subject: Re: UID mismatch across systems
Ross Boylan wrote:
> To solicit advice about how to deal with the mismatch, including the
> options I mentioned originally:
> 1) manually change the uids/gids so they match--and how to do that
> safely, esp on a live system
> 2) live with the the mismatches, at least for system accounts.
> I was also wondering how systems could be set up to have matching ids,
> given that the initial install doesn't use a shared identity database.
> For example, my newer systems have uid 101 = input, while pre-jessie
> ones have 101 = libuuid. The new ones have systemd-* users at
> 102-105, while the older ones have other users there.
>> There is no magic wand for that - debian has default numbering for system
>> accounts, so only user and custom accounts need to be moved to some user
>> management system like mysql or ldap. Of course OP will need to chown on
>> each machine to make it work.
> I am the OP! Thanks for your responses.
Ah, sorry I did not notice you are the OP.
I was once told debian uses same uid/gid for the system accounts, but it
looks like it is not true. However I am sure there is somewhere
documentation/discussion about this.
In general you don't mess up with the system accounts.
Only your user accounts would be managed in LDAP (or MySQL). This is what
you want. So answer to your 1) is yes only for user accounts and this would
imply 2) as yes unless you have some good reason to manage system accounts
via LDAP (or MySQL), but I have never heard of such.
The tricky part here is if users are in some system groups and they differ
between hosts. In this case you could distribute same passwd/group and
shadow files to all machines and need to update (chown) all related
files/dirs same as step 5.
you need to
1. create a list of all users on each host and uid/gid on that host.
2. assign a unique uid/gid to each user
3. create/migrate the users to LDAP (or MySQL) to those uid/gid
4. update each host to use LDAP (or MySQL) as pam service
5. chown all files/dirs belonging to each of the user (I think find is good
6. remove the local users (but leave one user account for admin tasks)
There are some good docs around about how this is done.
I hope that helps