Bug 895765 - useradd should create system UIDs locally regardless of any NIS/LDAP entries
useradd should create system UIDs locally regardless of any NIS/LDAP entries
Product: Fedora
Classification: Fedora
Component: shadow-utils (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2013-01-15 19:25 EST by Tom Lane
Modified: 2014-02-05 17:57 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-05 17:57:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom Lane 2013-01-15 19:25:42 EST
Description of problem:
It appears that the documented restriction

       Similarly, if the username already exists in an external user database
       such as NIS or LDAP, useradd will deny the user account creation

is applied even when attempting to create a "system" userid.  This is problematic because it is *necessary* to have a local entry in /etc/passwd for any userid that is referenced by name during early system boot, before the system is ready to communicate with an external NIS/LDAP server.

This turns out to be the root cause of the failure described in bug #894750.  Presumably the same issue could occur with other services besides mysql; also consider that the need for such early references has gotten a lot larger with the introduction of temp-directory recreation and the general lack of predictability of system boot order in systemd.

I realize that creating a local entry risks inconsistency, but perhaps it could be done anyway for system UIDs?  Or at least, done if the remote entry matches what is being requested?
Comment 1 Tomas Mraz 2013-01-16 03:30:24 EST
I don't think that creating local entry that would conflict with a remote one is appropriate, but creating it in the case it matches the remote one would be probably mostly harmless.
Comment 2 Tom Lane 2013-01-16 03:50:04 EST
Another possibility that I thought of later is to provide some sort of --override switch that would tell useradd to add the local entry without checking for remote conflicts.  The main use-case for this would be RPM install scripts such as mysql's.  (Lennart seemed to be suggesting that this should be tied to the --system option, but probably a separate option is better.)

I'm not sure how much weight should really be put on the idea that useradd is preventing problems by having a rigid policy here.  There are plenty of ways that we can get into a situation where there are local/remote conflicts despite that check.  For instance, suppose one installs mysql-server before rather than after configuring the box to know about the remote NIS service.
Comment 3 Tomas Mraz 2013-01-16 04:38:58 EST
For creating a conflicting entry such --override or --force switch would be necessary - just tying it to --system is not right.

We will need to get an upstream acceptance first though.
Comment 5 Fedora End Of Life 2013-12-21 10:17:40 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 6 Fedora End Of Life 2014-02-05 17:57:52 EST
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.