the main reasons ...  all account below 500 are system account in Redhat,CentOS.

In ubuntu and Debian all user account   below  >1000 are system account.

2011/11/25 Tom Tucker <tktucker@gmail.com>

Thanks for the feedback.

If I comment out "auth   requisite   pam_succeed_if.so uid >= 500 quiet" in the system-auth file I was able to login with a UID of 108.  Assuming this restrictions is controlled on the Linux system, why do I experience no problems when authenticating against the Sun One DS? I agree, the proper fix would be to change users UID higher than 500.

On Fri, Nov 25, 2011 at 8:08 AM, Gary Algier <gaa@ulticom.com> wrote:
On 11/24/11 23:25, Tom Tucker wrote:
> My environment has a mixture of Solaris 8-10 and RHEL 4-5. These clients
> are currently authenticating against a Sun One 5.X DS.
> I have migrated the Sun One DB to my lab 389 DS. Users with a three
> digit uidNumber are unable to login to Linux systems, however if they
> connect to a Solaris system it works fine.  If I add a fourth digit to
> their uidNumber they are able access Linux systems just fine.  Did I
> miss a setting somewhere?
> Thanks,
> Tom
The problem is more likely to be a limitation imposed by the PAM
configuration on the Linux systems.  Go look at /etc/pam.d/* and look
for lines like:
    account     sufficient    pam_succeed_if.so uid < 500 quiet
A grep for 500 should find lots of examples.  The most likely conflict
is in /etc/pam.d/system-auth.  Comment the line and try again.

Once upon a time UID numbers up through 99 were reserved for the OS, but
somewhere along the line we ran out of numbers for such things as
Apache, ssh, etc. which each needed their own number.  Someone then
decided that disallowing logins on these numbers was a good thing.
Unfortunately, a lot of places have extant UIDs < 500 (mine is 402).

You have two choices:
    1. Change the UIDs of the logins of these users and all their
       files on all the systems they use.
    2. Leave them alone and "fix" every Linux system.

The problem with the second choice is that you could have people with
the same UID as system processes.  When they do an "ls -l" they may see
that their files belong to "smolt" or "nagios" or similar.  Also, they
would be able to edit files that perhaps should be off limits to them.

Gary Algier, WB2FWZ          gaa at ulticom.com         +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033

Nielsen's First Law of Computer Manuals:
    People don't read documentation voluntarily.

389 users mailing list


Thanks and Regards
Laxman Singh
Linux Administrator

webdunia.com [India] Pvt.Ltd (CMMI Level 3) | 582 MG Road Indore - 452003 MP [India] | Work +91-731-398-3486 Ext- 486 | Fax +91-731-2436615 | Mobile +91-9826651100 | www.webdunia.net