[389-users] UID Number Limitations

Tom Tucker tktucker at gmail.com
Fri Nov 25 14:46:10 UTC 2011 

Thanks for the feedback.

If I comment out "auth   requisite   pam_succeed_if.so uid >= 500 quiet" in
the system-auth file I was able to login with a UID of 108.  Assuming this
restrictions is controlled on the Linux system, why do I experience no
problems when authenticating against the Sun One DS? I agree, the proper
fix would be to change users UID higher than 500.




On Fri, Nov 25, 2011 at 8:08 AM, Gary Algier <gaa at ulticom.com> wrote:

> On 11/24/11 23:25, Tom Tucker wrote:
> >
> > My environment has a mixture of Solaris 8-10 and RHEL 4-5. These clients
> > are currently authenticating against a Sun One 5.X DS.
> > I have migrated the Sun One DB to my lab 389 DS. Users with a three
> > digit uidNumber are unable to login to Linux systems, however if they
> > connect to a Solaris system it works fine.  If I add a fourth digit to
> > their uidNumber they are able access Linux systems just fine.  Did I
> > miss a setting somewhere?
> >
> > Thanks,
> >
> > Tom
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> The problem is more likely to be a limitation imposed by the PAM
> configuration on the Linux systems.  Go look at /etc/pam.d/* and look
> for lines like:
>     account     sufficient    pam_succeed_if.so uid < 500 quiet
> A grep for 500 should find lots of examples.  The most likely conflict
> is in /etc/pam.d/system-auth.  Comment the line and try again.
>
> Once upon a time UID numbers up through 99 were reserved for the OS, but
> somewhere along the line we ran out of numbers for such things as
> Apache, ssh, etc. which each needed their own number.  Someone then
> decided that disallowing logins on these numbers was a good thing.
> Unfortunately, a lot of places have extant UIDs < 500 (mine is 402).
>
> You have two choices:
>     1. Change the UIDs of the logins of these users and all their
>        files on all the systems they use.
>     2. Leave them alone and "fix" every Linux system.
>
> The problem with the second choice is that you could have people with
> the same UID as system processes.  When they do an "ls -l" they may see
> that their files belong to "smolt" or "nagios" or similar.  Also, they
> would be able to edit files that perhaps should be off limits to them.
>
> --
> Gary Algier, WB2FWZ          gaa at ulticom.com         +1 856 787 2758
> Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033
>
> Nielsen's First Law of Computer Manuals:
>     People don't read documentation voluntarily.
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20111125/b7fc28fa/attachment.html>

More information about the 389-users mailing list