Red Hat Bugzilla – Bug 895765
useradd should create system UIDs locally regardless of any NIS/LDAP entries
Last modified: 2014-02-05 17:57:52 EST
Description of problem:
It appears that the documented restriction
Similarly, if the username already exists in an external user database
such as NIS or LDAP, useradd will deny the user account creation
is applied even when attempting to create a "system" userid. This is problematic because it is *necessary* to have a local entry in /etc/passwd for any userid that is referenced by name during early system boot, before the system is ready to communicate with an external NIS/LDAP server.
This turns out to be the root cause of the failure described in bug #894750. Presumably the same issue could occur with other services besides mysql; also consider that the need for such early references has gotten a lot larger with the introduction of temp-directory recreation and the general lack of predictability of system boot order in systemd.
I realize that creating a local entry risks inconsistency, but perhaps it could be done anyway for system UIDs? Or at least, done if the remote entry matches what is being requested?
I don't think that creating local entry that would conflict with a remote one is appropriate, but creating it in the case it matches the remote one would be probably mostly harmless.
Another possibility that I thought of later is to provide some sort of --override switch that would tell useradd to add the local entry without checking for remote conflicts. The main use-case for this would be RPM install scripts such as mysql's. (Lennart seemed to be suggesting that this should be tied to the --system option, but probably a separate option is better.)
I'm not sure how much weight should really be put on the idea that useradd is preventing problems by having a rigid policy here. There are plenty of ways that we can get into a situation where there are local/remote conflicts despite that check. For instance, suppose one installs mysql-server before rather than after configuring the box to know about the remote NIS service.
For creating a conflicting entry such --override or --force switch would be necessary - just tying it to --system is not right.
We will need to get an upstream acceptance first though.
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.