RSS feed

Re: nss_initgroups_ignoreusers ALLLOCAL issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss_initgroups_ignoreusers ALLLOCAL issue

Le 16/05/2017 à 10:44, Jakub Jindra a écrit :
> But as I tried in the past, you can leave duplicate usernames, PAM will
> accept both. F.e. on the filesystem you can work normally with files no
> matter if you logged in using LDAP or static user. But the user will
> have 2 different uidNumbers (one from /etc/passwd, one from LDAP) and so
> files created by LDAP user will have f.e. owner with numeric id 10000
> and files created by system user will be owned by with numeric id 10005. 

Right. But isn't against Arthur recommendation as per nscd ?
 (username and ids should be unique) ?

Notice that there is no really "file created by LDAP/system user": Once
logged in with a dup account, being LDAP or system credentials, you
always get the primary UID of the system user ('id' command confirms that).

So if you "touch testfile" it will be owned by the system UID/GID. At
this point you can chown the file to the LDAP user's UID of course, as
you mention. About chown; if you use 'chown jdoe: testfile' it seems
using the jdoe with UID from LDAP (or maybe the greater/ UIDs available
from getent something like that).

If the LDAP user is member of some additional ldap posix groups, you
also get those groups available from the system as well (it's merged
with local groups); which is rather pleasant btw.

This being said I'm still a bit confused what should or should not be
done as per a best practice about dup local/ldap accounts username in
nss/ldap context. I'll findout over time I guess.
To unsubscribe send an email to or see