Feature changed by: Matthias Eckermann (mge1512) Feature #310922, revision 15 Title: central system user registry
- openSUSE-11.4: Rejected by Ludwig Nussel (lnussel) - reject reason: wasn't implemented + openSUSE-11.4: Rejected Priority Requester: Important
openSUSE Distribution: Unconfirmed Priority Requester: Important
Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org
Description: Once upon a time all systems users were defined in aaa_base via the default /etc/passwd file. When the uid space below uid 100 got too small a new dynamic range between 100 and 499 was introduced. So nowadays packages dynamically create a user in %pre which gets a random uid in this range. Disadvantage: uids are different on every system. Usually this is not a problem but for programs that export files over the network it is. TV recordings made by VDR for example. useradd has a --preferred-uid option for such cases. It's possible to specify a uid and useradd tries to use it. If it's already taken another one is chosen. Thefore I'd propose to leverage that feature: - introduce a central uid registry for system users, e.g a file in aaa_base - lower SYSTEM_UID_MAX (/etc/login.defs) to e.g. 349 and assign "preferred uids" in the rage 350-499. - change useradd calls in packages to a macro that transparently decides whether a preferred uid needs to be used.
Use Case: - two systems running vdr, one for recording, the other one for playback on a TV want to share recordings via nfs. - avoid packagers picking too generic user names - stable uids across appliances
Discussion: #1: Jan Engelhardt (jengelh) (2011-03-15 15:15:13) Recent kernels use NFS4 by default, which transmits the username rather than UID, so the issue is basically resolved in openSUSE 11.4 already.
#2: Ned Ulbricht (ned_ulbricht) (2011-03-16 14:47:12) (reply to #1) "Resolved" is a strong word there. :-) Identity management is a large space with a multiplicity of complexity. There are numerous solutions in this space. For instance, NIS was invented to deal with this problem. Then LDAP solutions came along. These days, I believe Red Hat has some kind of product competing against Microsoft's Active Directory. And I'd call attention to Novell's eDirectory product (http://www.novell.com/products/edirectory/) . Anyhow, I couldn't help but comment on your use of the word "resolved" there. For the benefit of others who may be reading, I think it's worth generally waving in the direction of some of software shipped with openSUSE or compatible with the platform.
#3: Ludwig Nussel (lnussel) (2011-04-29 15:52:22) maybe the new rpm 'collections' feature could be leveraged to avoid useradd calls in packages.