Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 590513 - default min_uid not compatible with older defaults
Summary: default min_uid not compatible with older defaults
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: David O'Brien
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-10 02:09 UTC by Gordon Messmer
Modified: 2011-06-02 14:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-06-02 14:24:53 UTC

Attachments (Terms of Use)

Description Gordon Messmer 2010-05-10 02:09:21 UTC
Description of problem:
On a freshly installed Fedora 13 RC2 system which uses LDAP for user info, users with uid between 500 and 1000 will no longer be available.  In previous versions of Fedora, they were.  In Fedora 13, /etc/sssd/sssd.conf sets "min_id = 1000" by default, which filters out users who were created according to the user policy present in previous versions of Fedora.  This value should be 500 by default for better compatibility with previous releases.

Version-Release number of selected component (if applicable):

How reproducible:

Comment 1 Stephen Gallagher 2010-05-10 11:32:50 UTC
This is an incorrect assumption. When we chose the user minimum, we picked 1000 specifically to avoid collisions with local user accounts.

It is highly unsafe for LDAP users to use IDs < 1000 (in fact, in most cases it's unwise to use IDs < 2000), since identities granted in LDAP may overlap with users in the local /etc/passwd file.

Choosing 1000 was a conscious decision, in part to educate LDAP administrators that using IDs below this value is begging for issues in their environment.

As noted in the original bug report, this value is editable for those environments that absolutely need to do so. We made sure that it is always written into the configuration file, even when set to the default, so that it's existence is very clear.

Comment 2 Gordon Messmer 2010-05-10 17:06:09 UTC
My only assumption is that some if not most of LDAP deployments were migrations from non-LDAP systems which retained user and group IDs to ease the migration.

In any case, I reported this as a bug because it is an incompatible change from previous releases of Fedora, and it doesn't appear to be documented anywhere.  The release notes that I've seen do mention that SSSD is a new feature, but link to the "installation notes" which have no further information.  Additionally, the default debug level does not indicate that a requested user account is being dropped from the results due to policy.  The system is silent about this matter which will make it very difficult for users to determine why their previously working systems no longer function.

Comment 3 Stephen Gallagher 2010-05-10 17:19:59 UTC
Reopening and assigning to David for documentation

Comment 4 David O'Brien 2010-06-17 03:47:13 UTC
I added the following to the SSSD Domain Configuration Options section of the RHEL 6 Deployment Guide:

If min_id is unspecified, it defaults to 1 for any back end. This default was chosen to provide compatibility with existing systems and to ease any migration attempts. LDAP administrators should be aware that granting identities in this range may conflict with users in the local /etc/passwd file. To avoid these conflicts, min_id should be set to 1000 or higher wherever possible.
This restriction applies to both UIDs and GIDs. 

Let me know if any edits are required.

Comment 5 Simo Sorce 2010-06-17 13:46:59 UTC
"restriction" sounds strange to me.
I'd replace the last phrase with:

This option determines the minimum acceptable value for both UID and GID numbers.
Accounts with either UID or GID values falling below the min_id value will be filtered out and not made available on the client.

Comment 6 Gordon Messmer 2010-06-17 15:14:23 UTC
It'd be nice to document the default behavior of the authconfig tools.

Thanks for the addition.

Comment 7 David O'Brien 2010-06-18 03:09:51 UTC
"restriction" sounded a bit strange to me too. I read it about 5 times and wanted to change it but never did. I've updated it with your recommendation above.

one of our new hires in Brno has the authconfig tool doc on his plate, so between that and what I'm still working on, the default behaviour should be covered in the new Deployment Guide.

Anything specific missing or wrong or confusing, please raise a bug.

thanks a lot

Comment 8 Bug Zapper 2011-06-02 14:17:11 UTC
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here:

Comment 9 Stephen Gallagher 2011-06-02 14:24:53 UTC
This has long been fixed. We changed the default min_id to be 1 instead of 1000.

Note You need to log in before you can comment on or make changes to this bug.