[OpenAFS] UID conflicts

Douglas E. Engert deengert@anl.gov
Tue, 20 Dec 2011 08:52:11 -0600 

On 12/19/2011 7:01 PM, Lewis, Dave wrote:
> Hi,
>
> The UIDs of some of our users are low, between 100 and 130.  Our AFS
> UIDs are the same as our Unix UIDs (which are in NIS).  Recently someone
> switched a workstation from CentOS to Ubuntu in our cell, and I found
> some UID conflicts with system daemons.
>
> For example, one user has a UID of 108.  On the Ubuntu workstation,
> kernoops has the same UID (as listed in /etc/passwd).  Another user has
> UID=112, which is listed in /etc/passwd for saned.  There are a few
> other user/system UID matches.
>
> So now users "own" some system files on the Ubuntu workstation. :-(
>
> These user accounts were created long ago on a server for which the
> system daemon UIDs were<  100.  This is the first system on which we
> have seen such a UID conflict.
>
> We're planning to have more Ubuntu/Debian computers here.  If we want to
> avoid conflicts between UIDs of normal users and system daemons, what's
> the best way to go about it?


Debian policy found at at:
  http://www.debian.org/doc/debian-policy/ch-opersys.html
9.2.2 UID and GID classes

  100-999:
  "Dynamically allocated system users and groups. Packages which
   need a user or group, but can have this user or group allocated
   dynamically and differently on each system, should use
   adduser --system to create the group and/or user. adduser will check
   for the existence of the user or group, and if necessary choose an
   unused id based on the ranges specified in adduser.conf."

So it might be easier to reassign the deamon's UIDs then the user's UIDs
and on additional systems, update the adduser.conf to a range that does
not include any existing real users.

>
> I can change the Unix UID for a user and then chown all of that user's
> files.  However, the AFS docs say that it is important for the AFS UIDs
> to match the Unix UIDs, and I don't see how to change an AFS UID.
>
> Thanks,
> Dave
>
> ==============================================================
> David P. Lewis
> Center for Advanced Brain Imaging, Division of Medical Physics
> The Nathan S. Kline Institute for Psychiatric Research
> 140 Old Orangeburg Road, Orangeburg, NY 10962
>
>
>
> Conserve Resources. Print only when necessary.
>
> IMPORTANT NOTICE: This e-mail is meant only for the use of the intended recipient. It may contain confidential information which is legally privilegedor otherwise protected by law. If you received this e-mail in error or from someone who is not authorized to send it to you, you are strictly prohibited from reviewing, using, disseminating, distributing or copying the e-mail. PLEASE NOTIFY US IMMEDIATELY OF THE ERROR BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM YOUR SYSTEM. Thank you for your cooperation.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444