Bug 1117300

Summary: ipa user-add cannot assign UID/GID 999
Product: Red Hat Enterprise Linux 6 Reporter: Imed Chihi <ichihi>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: pviktori, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-28 10:43:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Imed Chihi 2014-07-08 13:09:53 UTC 
Description of problem:
The "ipa user-add" cannot create users with UID=999 or GID=999.  When this 999 value is passed on the command line, it seems to be ignored and the ipa tool assigns an automatically generated value instead of 999.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6

How reproducible:
Always

Steps to Reproduce:
1. run: 
# ipa user-add someuser --uid=999 --first=Some --last=User

Actual results:
Command output is:
(..)
UID: 1453600009
(..)

Expected results:
Command output is:
(..)
UID: 999
(..)

Additional info:
The Identity Management version shipped with Red Hat Enterprise Linux 6 has DNA_MAGIC set to 999 in /usr/lib/python2.6/site-packages/ipalib/plugins/user.py.  This makes 999 unallocatable for UIDs and GIDs.
This is a suggestion to implement the same RHEL 7 in BZ#837364.
Upstream fix changed the DNA_MAGIC to -1:  http://www.redhat.com/archives/freeipa-devel/2013-February/msg00362.html
Comment 2 Petr Viktorin (pviktori) 2014-07-09 08:19:44 UTC 
That this would require the client to send some kind of extended version number/capability list to indicate a "999" actually means "999". Also, the server would need to understand this extended information.
Something like this is being considered upstream, in https://fedorahosted.org/freeipa/ticket/4427.
Comment 3 Martin Kosek 2014-07-28 10:43:51 UTC 
Sorry for delay. Petr is right, this change would require significant changes to FreeIPA server both on RHEL-6.x and on RHEL-7. Given the complexity of the fix in RHEL-6.x, low severity of the issue and given that it is already fixed in RHEL-7.0, I will close this request as WONTFIX.

To workaround, customer can for use ldapmodify to change the UID to 999 or alternatively, install a RHEL-7.0 replica where the user with UID 999 can be added and will be replicated also to RHEL-6.x servers.

If this information is not sufficient for you or for the customer, please reopen with proper business justification.
Comment 6 Imed Chihi 2014-08-24 11:25:24 UTC 
Solution published here https://access.redhat.com/solutions/1144973.  Feel free to edit or suggest fixes/improvements.
Comment 7 Martin Kosek 2014-08-25 10:03:28 UTC 
It looks ok, thanks! I am wondering that the Diagnostics part may be more difficult than it needs to be, "cat" on that file will print a lot of info that user will need to search in.

Maybe offering just

# grep "DNA_MAGIC = " /usr/lib/python2.6/site-packages/ipalib/plugins/user.py
DNA_MAGIC = 999

Would be easier. But this is just a minor improvement suggestion, nothing foundational.