Red Hat Bugzilla – Bug 717119
Please update documentation to refer to /etc/login.defs to define a 'system' account
Last modified: 2012-03-05 16:15:52 EST
src/examples/sssd.conf assumes that user accounts start at ID 500; please update it to refer to /etc/login.defs [UG]ID_MIN, we plan to change the boundary.
Version-Release number of selected component (if applicable):
This is only an example configuration file. It is disabled by default and the purpose of mentioning the min_id = 500 is to demonstrate an override, not a default.
The default for the SSSD local provider has always been 1000, but I realize that we should probably make this a compile-time option (right now it's hard-coded). I've opened https://fedorahosted.org/sssd/ticket/907 upstream to add this option.
Re: ticket 907, in general I think it would be preferable if the administrator only had to modify a single file (and /etc/login.defs is already used by several packages); but perhaps the sssd model does not so easily map to the simple "system account/user account" split, I don't know.
There are three classes we have to care about when sssd is involved:
Our min_id command *filters* out any user that have an id lower than that setting so that 'network users' cannot interfere with system and local users.
So using login.defs doesn't make much sense for min_id.
We might start using it is one day in Fedora we decide to always store 'local' users in the LOCAL domain of sssd. For those users login_defs makes sense.
At this time, we have no plans to change this default (and Fedora has opted to switch to a min_id = 1000 default as well).