steve(a)silug.org (Steven Pritchard) writes:
My personal feeling (as a sysadmin and a packager) is that doing
something like this in %pre (not %post, if you want files owned by
the new user) is the Right Thing:
if ! id foo > /dev/null 2>&1 ; then
/usr/sbin/useradd -r -s /sbin/nologin -c 'BAR' [...] foo
This does not solve the problem that users will have different UIDs on
And then just *don't touch the account* on removal.
This rule is ok with me.
If for some reason useradd will not work, doing this in %pre should
make package installation fail, right? Then the sysadmin can go add
the user in LDAP/NIS/whatever and reinstall the package.
IMO, managing service-accounts with LDAP/NIS is a bad idea. It is ideal
for normal users but I do not want to rely on them for services. You will
run into bootstrap issues (e.g. think of slapd which tries to resolve the
'ldap' user), configuration errors like outdated TLS certificates (which
make LDAP lookups impossible) or added complexity for critical services
(I saw enough problems with nss_ldap and nscd).
Additionally, there is no way to see whether users are created by an
rpm package or which parameters are used for these users. So it is not
possible to create users on the LDAP server *before* the package is