| View previous topic :: View next topic |
| Author |
Message |
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
 Posted: Thu Jul 10, 2008 3:20 pm Post subject: Isn't there any standard for numbering GIDS? |
 |
|
Hi.
I'm currently installing an LDAP server on a Debian Virtual Environment that is hosted on a physical Gentoo server with OpenVZ. I was about to run the migration scripts and import various stuff to the directory when I realized not all group IDs were mapped to the same names between Debian and gentoo, for instance.
Example: in Debian daemon and bin accounts map to 1 and 2 respectively, while 1 and 2 under Gentoo are bin and daemon respectively -- i.e. reversed. Also groups cdrom, games and usb don't have the same IDs between both distributions.
This basiacally means that I can't trust group ID's if I want to be able to use then on different distributions from a centralized user management system like LDAP. Given that different distributions have different IDs for these groups I can't safely use them to grant these accounts local access to the CDROM or USB devices, for instance, right?
Is there any solution or workaround for that issue?
Till now only the users group has an ID of 100 in both Debian and Gentoo. But it might as well be different on other distributions, right?
Thanks in advance.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
 |
aceFruchtsaft
Guru
Joined: 16 May 2004
Posts: 438
Location: Vienna, Austria
|
| Posted: Thu Jul 10, 2008 4:29 pm Post subject: Re: Isn't there any standard for numbering GIDS? |
|
|
| VinzC wrote: |
Is there any solution or workaround for that issue?
|
Use nss_ldap to guarantee consistent GIDs across the network
You need to do this for selected groups only, since most groups in /etc/groups are only relevant for various daemons which you would't want to share anyway.
| Quote: |
Till now only the usersgroup has an ID of 100 in both Debian and Gentoo. But it might as well be different on other distributions, right?
|
Right. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Thu Jul 10, 2008 5:25 pm Post subject: |
|
|
Thanks for your lights, aceFruchtsaft.
So it basically means that Padl MigrationTools scripts are mostly useless (at least for groups and users, which ID < 1000) since they might map things that don't have the same IDs on different distributions, right? In other terms, they would make sense only if the operating system holding the LDAP server *and* the one on workstations are exactly the same one distribution, am I right?
| aceFruchtsaft wrote: | | Use nss_ldap to guarantee consistent GIDs across the network |
Right.
But what about files created on the *local* workstation by a network user? Linux users in general, be they local or LDAP accounts, should at least be part of the local group "users". What if one day on a given distribution, a group numeric ID maps to the one of a local daemon?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
