On Do, 06.12.18 19:42, Florian Weimer (fweimer(a)redhat.com) wrote:
>> Reading
https://bugzilla.redhat.com/show_bug.cgi?id=1284325
there is can
>> happen some ID overlaps with FreeIPA/Samba which is undesirable. I would say
>> that this must be solves if this module is enabled by default. Was there any
>> progress in this area?
>
> I think that's a misunderstanding of what the module does. At the
> point the module announces those uid/gid ranges they are already
> reserved, hence the conflict is already there. nss-mymachines is hence
> only the messanger, not the culprit.
I don't think we enforce that reservation system-wide. Do we filter out
those accounts when they come in over LDAP? Can users add them locally
using adduser?
None of the NSS modules in glibc provide such filtering.
The UID/GID allocation in systemd itself (for DynamicUser=1) and in
systemd-nspawn (for --private-users=) both check NSS before they take
a UID/GID. Hence, if LDAP users live in the same range we use it makes
the space scarcer, but it shouldn't cause conflicts — as long as
everything is properly registered in NSS.
"adduser" registers from the range 1000…60000 on Fedora by
default. DynamicUser=1 uses the range 61184…65519. systemd-nspawn uses
524288…1879048191. So these at least do not overlap.
Lennart
--
Lennart Poettering, Red Hat