Red Hat Bugzilla – Bug 590513
default min_uid not compatible with older defaults
Last modified: 2011-06-02 10:24:53 EDT
Description of problem:
On a freshly installed Fedora 13 RC2 system which uses LDAP for user info, users with uid between 500 and 1000 will no longer be available. In previous versions of Fedora, they were. In Fedora 13, /etc/sssd/sssd.conf sets "min_id = 1000" by default, which filters out users who were created according to the user policy present in previous versions of Fedora. This value should be 500 by default for better compatibility with previous releases.
Version-Release number of selected component (if applicable):
This is an incorrect assumption. When we chose the user minimum, we picked 1000 specifically to avoid collisions with local user accounts.
It is highly unsafe for LDAP users to use IDs < 1000 (in fact, in most cases it's unwise to use IDs < 2000), since identities granted in LDAP may overlap with users in the local /etc/passwd file.
Choosing 1000 was a conscious decision, in part to educate LDAP administrators that using IDs below this value is begging for issues in their environment.
As noted in the original bug report, this value is editable for those environments that absolutely need to do so. We made sure that it is always written into the configuration file, even when set to the default, so that it's existence is very clear.
My only assumption is that some if not most of LDAP deployments were migrations from non-LDAP systems which retained user and group IDs to ease the migration.
In any case, I reported this as a bug because it is an incompatible change from previous releases of Fedora, and it doesn't appear to be documented anywhere. The release notes that I've seen do mention that SSSD is a new feature, but link to the "installation notes" which have no further information. Additionally, the default debug level does not indicate that a requested user account is being dropped from the results due to policy. The system is silent about this matter which will make it very difficult for users to determine why their previously working systems no longer function.
Reopening and assigning to David for documentation
I added the following to the SSSD Domain Configuration Options section of the RHEL 6 Deployment Guide:
If min_id is unspecified, it defaults to 1 for any back end. This default was chosen to provide compatibility with existing systems and to ease any migration attempts. LDAP administrators should be aware that granting identities in this range may conflict with users in the local /etc/passwd file. To avoid these conflicts, min_id should be set to 1000 or higher wherever possible.
This restriction applies to both UIDs and GIDs.
Let me know if any edits are required.
"restriction" sounds strange to me.
I'd replace the last phrase with:
This option determines the minimum acceptable value for both UID and GID numbers.
Accounts with either UID or GID values falling below the min_id value will be filtered out and not made available on the client.
It'd be nice to document the default behavior of the authconfig tools.
Thanks for the addition.
"restriction" sounded a bit strange to me too. I read it about 5 times and wanted to change it but never did. I've updated it with your recommendation above.
one of our new hires in Brno has the authconfig tool doc on his plate, so between that and what I'm still working on, the default behaviour should be covered in the new Deployment Guide.
Anything specific missing or wrong or confusing, please raise a bug.
thanks a lot
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '13'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 13's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 13 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
This has long been fixed. We changed the default min_id to be 1 instead of 1000.