[OpenAFS] Re: [Slightly OT] changing UID of a user to 1

[Russ Allbery]

Madhusudan Singh <singh.madhusudan@gmail.com> writes:

>> That m_singh is a member of system:administrators makes no difference
>> to how you would change the AFS UID.  The answer is, you can't (at
>> least so far as I know; I welcome correction from anyone else).  You
>> have to create a new user with a different name and the new UID, add it
>> to the AFS groups that the old user was in, delete the old user, and
>> then pts rename the new user to the old user.  I think it actually may
>> be somewhat difficult for you to do this, because in order to do it you
>> need to be able to authenticate as a different user who's also in
>> system:administrators or you'll lose access when you pts delete the old
>> user and then won't be able to finish the renaming of the new user to
>> something that matches the Kerberos principal.  This may be a bit
>> tricky when you don't control the KDC and can't create a new principal.

> Well, that seems to leave only one option. Change the Unix ID of the
> user in question to 1. How do I :

> Change the UID of the user "daemon" to something else (say 11), change
> all the ownerships on all the files owned by it on the system
> consistently and make sure that no processes crash.

I wouldn't really recommend this.  The system probably isn't going to like
it, and then you'd have to maintain it forever.  I'd recommend instead to
ask your local Kerberos administrator to temporarily create you a second
identity that you can add to system:administrators and use to do the delet
and recreate of your regular principal.

This is another good reason to use a separate admin principal from your
regular principal, one that I'd not thought about before.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>