Mailing List Archive

On Thursday 15 June 2006 21:36, Mike Kelly wrote:
> As part of my original plans for my GLEP27 implementation, I was
> going to have my scripts automatically add the users requested by a
> package (for example, the cron user), to all the passwd backends
> listsed in /etc/nsswitch.conf.

nss is glibc-only, so such a solution would be inadequate

> However, in consultation with some
> folks, it seems that what may be more desirable is to just add
> users/groups to the local files/compat backends instead, and not make
> any changes to the remote databases.

you mean update only /etc/passwd and /etc/groups ? modifying those files
directly should only happen as a fallback when all other methods fail

> Does anyone have any strong notion of any cases where it would be
> excessively bad for the package manager to try adding to, say, the
> nss_nis backend in addition to the nss_files backend, or cases where
> that would be a strongly desired behavior?

users should be added via the normal system utilities so you dont have to care
about the underlying storage

perhaps making the account creation by configurable but with sane defaults
setup for those of us who dont care
-mike

On Thu, Jun 15, 2006 at 11:03:36PM -0400, Mike Frysinger wrote:
> > However, in consultation with some
> > folks, it seems that what may be more desirable is to just add
> > users/groups to the local files/compat backends instead, and not make
> > any changes to the remote databases.
> you mean update only /etc/passwd and /etc/groups ? modifying those files
> directly should only happen as a fallback when all other methods fail
Spanky: the POSIX utilities in Linux are not capable of adding new
entries to non-files sources. Such is the entire reason I wrote the
'diradm' application - to provide as much as a I could of the POSIX
utils that worked against an LDAP backend. I don't know of any similar
utilities that work against some of the other sources, and indeed - some
of them are read-only - no incremental adding possible.

> > Does anyone have any strong notion of any cases where it would be
> > excessively bad for the package manager to try adding to, say, the
> > nss_nis backend in addition to the nss_files backend, or cases where
> > that would be a strongly desired behavior?
> users should be added via the normal system utilities so you dont have to care
> about the underlying storage
I believe that his concern was that POSIX implementation packaged with
sys-apps/shadow is only capable of writing to files.

--
Robin Hugh Johnson
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

On Friday 16 June 2006 05:03, Mike Frysinger wrote:
> nss is glibc-only, so such a solution would be inadequate
Actually this is one of the strange and rare cases that's not only glibc's.
FreeBSD can use nss too :)

--
Diego "Flameeyes" Pettenò - http://farragut.flameeyes.is-a-geek.org/
Gentoo/Alt lead, Gentoo/FreeBSD, Video, AMD64, Sound, PAM, KDE

On Thu, 2006-06-15 at 21:36 -0400, Mike Kelly wrote:
> Hi,
>
> As part of my original plans for my GLEP27 implementation, I was
> going to have my scripts automatically add the users requested by a
> package (for example, the cron user), to all the passwd backends
> listsed in /etc/nsswitch.conf. However, in consultation with some
> folks, it seems that what may be more desirable is to just add
> users/groups to the local files/compat backends instead, and not make
> any changes to the remote databases.
>
> Does anyone have any strong notion of any cases where it would be
> excessively bad for the package manager to try adding to, say, the
> nss_nis backend in addition to the nss_files backend, or cases where
> that would be a strongly desired behavior?

bad == many places use a ro backend for auth w/ mysql/ldap/etc

Writing to the local files would be acceptable with me. I'm sure
someone will come up with an objection, though.

--
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

Mike Kelly wrote: [Thu Jun 15 2006, 08:36:25PM CDT]
> As part of my original plans for my GLEP27 implementation, I was
> going to have my scripts automatically add the users requested by a
> package (for example, the cron user), to all the passwd backends
> listsed in /etc/nsswitch.conf. However, in consultation with some
> folks, it seems that what may be more desirable is to just add
> users/groups to the local files/compat backends instead, and not make
> any changes to the remote databases.
>
> Does anyone have any strong notion of any cases where it would be
> excessively bad for the package manager to try adding to, say, the
> nss_nis backend in addition to the nss_files backend, or cases where
> that would be a strongly desired behavior?

I think it's unlikely that one would want to add an account to both
files and nis/ldap, but there's no good reason that I can think of not
to let the user choose. That said, I'm not exactly an uber-sysadmin.
One thing that I might think would be common, though, would be to have
system accounts pre-defined in ldap/nis, with the expectation that your
scripts would look up the remote values and then create local accounts
with those values. Anybody who actually has a clue want to chime in?

Oh, it might be a good idea to ask in gentoo-server@g.o, too.

-g2boojum-
--
Grant Goodyear
Gentoo Developer
g2boojum@gentoo.org
http://www.gentoo.org/~g2boojum
GPG Fingerprint: D706 9802 1663 DEF5 81B0 9573 A6DC 7152 E0F6 5B76

On Fri, 16 Jun 2006 12:16:52 +0200
"Diego 'Flameeyes' Pettenò" <flameeyes@gentoo.org> wrote:

> On Friday 16 June 2006 05:03, Mike Frysinger wrote:
> > nss is glibc-only, so such a solution would be inadequate
> Actually this is one of the strange and rare cases that's not only
> glibc's. FreeBSD can use nss too :)
>

Also, it seems that Solaris uses the same /etc/nsswitch.conf as well. I
don't know about Darwin, though, as I don't have access to a machine.

--
Mike Kelly

On Fri, 2006-06-16 at 08:42 -0500, Grant Goodyear wrote:
> Mike Kelly wrote: [Thu Jun 15 2006, 08:36:25PM CDT]
> > As part of my original plans for my GLEP27 implementation, I was
> > going to have my scripts automatically add the users requested by a
> > package (for example, the cron user), to all the passwd backends
> > listsed in /etc/nsswitch.conf. However, in consultation with some
> > folks, it seems that what may be more desirable is to just add
> > users/groups to the local files/compat backends instead, and not make
> > any changes to the remote databases.
> >
> > Does anyone have any strong notion of any cases where it would be
> > excessively bad for the package manager to try adding to, say, the
> > nss_nis backend in addition to the nss_files backend, or cases where
> > that would be a strongly desired behavior?
>
> I think it's unlikely that one would want to add an account to both
> files and nis/ldap, but there's no good reason that I can think of not
> to let the user choose. That said, I'm not exactly an uber-sysadmin.
> One thing that I might think would be common, though, would be to have
> system accounts pre-defined in ldap/nis, with the expectation that your
> scripts would look up the remote values and then create local accounts
> with those values. Anybody who actually has a clue want to chime in?

Most things *should* not to *anything* if the account exists in
mysql/ldap/nis/etc as the account is already present. It's just the
case of it *not* existing that causes the real problem.

>
> Oh, it might be a good idea to ask in gentoo-server@g.o, too.
>
> -g2boojum-
--
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

Chris Gianelloni wrote:
> Most things *should* not to *anything* if the account exists in
> mysql/ldap/nis/etc as the account is already present.
Right, i.e. use NSS for the query and *don't* use hacks like grepping
/etc/passwd.

> It's just the
> case of it *not* existing that causes the real problem.
Use a callback defaulting to /usr/sbin/adduser.

cheers
Paul

--
gentoo-dev@gentoo.org mailing list

On Friday 16 June 2006 10:00, Mike Kelly wrote:
> "Diego 'Flameeyes' Pettenò" <flameeyes@gentoo.org> wrote:
> > On Friday 16 June 2006 05:03, Mike Frysinger wrote:
> > > nss is glibc-only, so such a solution would be inadequate
> >
> > Actually this is one of the strange and rare cases that's not only
> > glibc's. FreeBSD can use nss too :)
>
> Also, it seems that Solaris uses the same /etc/nsswitch.conf as well. I
> don't know about Darwin, though, as I don't have access to a machine.

ok, so in light of this let me rephrase:
working only with nss is not an adequate solution

thanks all for the corrections
-mike