> On 2/3/21 6:18 PM, Friedrich Schäuffelhut wrote: > > If I understand correctly moving your IPA range may be problematic > since you are actively using the uids.
Moving user ids is not a concern. We are in a transition phase where most users still have a local account and use local uids. We are planning to roll out an os update for our desktops soon and with that we are goint to switch to sssd/LDAP based users. > Do you have substantial podman usage? > If not, move the podman ranges away. They are automatically allocated > according to SUB_UID_MIN et al. (man adduser): change those vars > and reassign ranges for the existing users. We considered this. We want to avoid future accidental clashes. Now it would still be possible to fix it. > Personally, I find the 100000+uid*65536 default rule terrible since > it gives you unreadable final numbers. I see it the same way. > My rule is to rebuild everything from scratch after adding a new user > with: > > while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo > "$a:$[100000*c]:65536";done </etc/passwd >/etc/subuid > while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo > "$a:$[100000*c]:65536";done </etc/group >/etc/subgid > > which gives me 400015 for subuser 15 of user 4. > (note that root=0 is problematic and I collapse it into bin=1, > both starting at 100000) We did discuss these options internally. We understand the administrative tasks that must happen on client systems, when changing UIDs in FreeIPA e.g. fixing file owner ships (not a problem for us). We also use configuration management for setting up subuid/subguid files. We really want to get rid of that UID overlap between our FreeIPA install and subuid/subguid to avoid future confusion/accidents and unexpected behavior. What we really would like to understand is, if it is possible to move the UID/GUID range in FreeIPA and how to do it. Regards Friedrich Schäuffelhut _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
