Kris C via FreeIPA-users wrote: > Ok, so I guess a final question that I have is: > If --uid is an option available to me when I create an account, is it a bug > if I create an account specifying a UID that's not in the range of the RIDs? > Is it a bug if I have to change it later to match my existing UID scheme? > Should the creation of UID and SID/RID be divorced from each other so I as a > sysadmin can specify a UID I want to use?
We try not to constrain users too much because of the types of legacy issues you're seeing. Generally creating a new ID range for the old ids is preferable and after that things just work. If you want to change the UID afterward that's certainly your prerogative but that doesn't preclude a user with that original UID to be created and then you'd have a conflict in SID. Probably a chance approaching zero but if not you'll get a LDAP_CONSTRAINT_VIOLATION. The SID is calculated from the RID base and the UID of the user. So for range: Range name: EXAMPLE.TEST_id_range First Posix ID of the range: 1851200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Take the UID minus the starting value in the idrange. ID = 1851200003 - 1851200000 + 1000 So the ID = 1003 Add that to the SID base, which in my case is S-1-5-21-745287385-4213998968-1197924862, and you get: ipantsecurityidentifier: S-1-5-21-745287385-4213998968-1197924862-1003 Note that the admin user is special and is fixed at 500. So you can do what you want but keep this in mind to avoid conflicts. Alexander is more an expert than I so maybe he'll chime in too. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
