[OpenAFS] UID conflicts

Marcus Watts mdw@umich.edu
Tue, 20 Dec 2011 14:56:40 -0500


> Date:    Mon, 19 Dec 2011 20:01:12 EST
> To:      <openafs-info@openafs.org>
> From:    "Lewis, Dave" <LEWIS@NKI.RFMH.ORG>
> Subject: [OpenAFS] UID conflicts
> 
> Hi,
> 
> The UIDs of some of our users are low, between 100 and 130.  Our AFS
> UIDs are the same as our Unix UIDs (which are in NIS).  Recently someone
> switched a workstation from CentOS to Ubuntu in our cell, and I found
> some UID conflicts with system daemons.
> 
> For example, one user has a UID of 108.  On the Ubuntu workstation,
> kernoops has the same UID (as listed in /etc/passwd).  Another user has
> UID=3D112, which is listed in /etc/passwd for saned.  There are a few
> other user/system UID matches.
> 
> So now users "own" some system files on the Ubuntu workstation. :-(
> 
> These user accounts were created long ago on a server for which the
> system daemon UIDs were < 100.  This is the first system on which we
> have seen such a UID conflict.
> 
> We're planning to have more Ubuntu/Debian computers here.  If we want to
> avoid conflicts between UIDs of normal users and system daemons, what's
> the best way to go about it?
> 
> I can change the Unix UID for a user and then chown all of that user's
> files.  However, the AFS docs say that it is important for the AFS UIDs
> to match the Unix UIDs, and I don't see how to change an AFS UID.
> 
> Thanks,
> Dave

I don't think debian (or ubuntu) make any guarantee uid's will be the
same even on successive machines - it all depends on the order that
software is installed.

Unless you're trying to make some sort of "diskless" client, I think you
can ignore this.  Most of your system daemons are only going to access
things on the local disk.  If you do have system daemons accessing AFS space,
without special provisions to get afs credentials they're only going to be
capable of accessing stuff as the anonymous user.

You *do* want to have a coordinated uid/viceid space for your users.
That probably means some form of central provisioning system for
login names & viceids.  You'll probably want to start the base of
your coordinated space well above what debian (or ubuntu or whatever)
will want to use for system daemons.  1000 might be a safe minimum
value for your coordinated space.   2000, as David Boyes recommends,
is certainly even better.  I don't think you need worry about keeping
uids under 32000 or 65536.  Most modern machines (including any modern
linux) support 32-bit uids just fine.  There are a few special values
you'll want to avoid (afs anonymous user, various "nobody" values),
but anything over 65536 is actually probably quite safe.

It *IS* possible, BTW, to change an afs viceid.  I don't think there's
a command line tool in the current distribution that accesses the
functionality, but PR_ChangeEntry has a "newid" parameter which can be
set to accomplish a viceid change.

				-Marcus Watts