non fedora-usermgmt user creation

Ralf Corsepius rc040203 at freenet.de
Tue Mar 7 17:53:40 UTC 2006 

On Tue, 2006-03-07 at 17:35 +0100, Enrico Scholz wrote:
> rc040203 at freenet.de (Ralf Corsepius) writes:
> 
> >> Walk me through this then, I use fedora-usermgmt to create a user for my
> >> nagios package.  What uid does it select, how does it select that UID,
> >> and when you install it on your machine, how does it have the same UID
> >> that it did when it was installed on my machine?
> >
> > Then Enrico also might explain how to propagate this UID to the
> > NIS/LDAP server hosting a network's network-wide uids.
> 
> 1. I think, it is a bad idea to manage system users in NIS/LDAP.
I partially agree, I partially disagree:

I agree, sharing "reserved uids" with nis/ldap is problematic,
nevertheless you will find this in existing systems. However, using
sharing "non-reserved" uids is rather non-problematic, because many such
uids/gids actually are oridinary user ids without any special
requirements.

>  This
>    adds a lot of requirements (and points of possible failures) for
>    starting a service:
> 
>    * network must be up/working
>    * SSL certificates must not be expired
>    * NIS/LDAP server must be up
>    * supporting servers (DNS, firewall) must be up
Yes, such a setup is quite demanding, nevertheless this is supposed to
work out of the box in a standard WS setup (And except of some
occasional hickups in init script priorities, really does).

>    I prefer /etc/passwd for system users
Well, it doesn't matter what YOU prefer, it matters what a network's
sysadmins want. In real world networks you'll encounter issues, you
can't have any chance to know about, be it them using uid < 500 for
ordinary users, because they have several decades of tradition in doing
so (from SunOS times) and because the boss/enterprise founder doesn't
want to return his uid 101, or because they are mapping phone numbers to
uids (This is a case I actually had been confronted with). 

> 2. 'fedora-usermgmt' eases propagation of UIDs to NIS/LDAP servers.

Well, it is just ONE way of doing it, but it is not "the only way to do
it", nor is it "THE CORRECT way of doing it" - It's not much more but
the way YOU prefer, and as such it inevitably will conflicts with other
approaches/strategies.

The problem, why I consider using fedora-usermgmt in RPMS to be stupid
is making this approach mandatory.  

The point is: To admins in a non-Fedora network, fedora-usermgmt doesn't
provide any benefits because admins will have to manually intervene in
any case, no matter if fedora-usermgmt or vanilla useradd etc. are used.

My conclusion: fedora-usrmgt should not be pulled in any package in
Fedora unless the installer explicitly requests to do so, i.e. it should
be an "rpm-alternative" to useradd etc. and not be a requirement.

Ralf

More information about the fedora-extras-list mailing list