[systemd-devel] systemd-resolved and nss_ldap
Lennart Poettering
lennart at poettering.net
Wed Jul 4 12:47:14 UTC 2018
On Mi, 04.07.18 14:05, Vlad (vovan at vovan.nl) wrote:
> Lennart,
>
> Thanks for all the information amd explanation! Below is all the details:
> - systemd-239
> - systemd-resolve as well ass all systemd related users are defined in
> /etc/passwd
> - nss_ldap is configured via nss_initgroups_ignoreusers to not lookup
> groups fro all system related users include all systemd users
If you can configure nss-ldap to exclude certain UID ranges and user
names from lookups this can work too. But you'd have to tell it to
exclude the following user names and UIDs/GIDS:
1. systemd-network, systemd-resolve, systemd-timesync
2. all UIDs equal or below of `pkg-config systemd
--variable=systemuidmax`, and similar GIDs
3. all UIDs >= `pkg-config systemd --variable=dynamicuidmin` and <=
`pkg-config systemd --variable=dynamicuidmax` and similar GIDs.
In particular the the latter is what is missing here, as that's the
range DynamicUser=1 will allocate from, and if nss-ldap doesn't listen
to that you should be good.
> Do you think changing "DynamicUser" to "no" should solve the issue? I
> see that quite a few services (systemd-resolve, systemd-networkd,
> firewalld, etc.) have "DynamicUser=yes".
Well, something needs to create the users. That can either be you,
with static adduser/useradd, or it can be systemd, by means of
DynamicUser=yes. Note that DynamicUser=yes doesn't conflict with
registering the user in /etc/paswd. If there already is a matching
static user around, then DynamicUser=yes will simply use that, and not
bother allocating a dynamic one. This means you never need to fiddle
with DynamicUser= actually, it totally suffices to create the right
users statically with useradd/adduser.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list