Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1145584
Description of problem: The uid/gid allocated for user/group pkiuser is 17: # rpm -qf /usr/share/doc/setup-2.8.71/uidgid setup-2.8.71-4.el7.noarch # grep pkiuser /usr/share/doc/setup-2.8.71/uidgid pkiuser 17 17 /usr/share/pki /sbin/nologin pki-ca,rhpki-ca # The user is not created by rpm scriptlets even if it probably should to comply with https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation. There is a bug 1143067 about that issue. However, the user is created (maybe as a workaround for it not being created by rpm) upon ipa-server-install run: # grep pkiuser /etc/passwd /etc/group # ipa-server-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. [...] Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # grep pkiuser /etc/passwd /etc/group /etc/passwd:pkiuser:x:994:993:CA System User:/var/lib:/sbin/nologin /etc/group:pkiuser:x:993: # The uid, gid, and home directory do not match the allocated values from uidgid. Looking at the log, # grep pkiuser /var/log/ipaserver-install.log 2014-09-23T10:06:29Z DEBUG adding ca user pkiuser 2014-09-23T10:06:29Z DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib -s /sbin/nologin -M -r pkiuser it seems to be created by /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py. Version-Release number of selected component (if applicable): ipa-server-3.3.3-28.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Before ipa-server-install is run, check for pkiuser in /etc/passwd. 2. Run ipa-server-install, configure IdM. 3. Check for pkiuser in /etc/passwd. 4. Compare the uid, gid, and home directory with values from uidgid file. Actual results: Mismatch. Expected results: Match. Additional info:
attachment freeipa-dkupka-0025-Respect-UID-and-GID-soft-static-allocation.patch
attachment freeipa-dkupka-0025-2-Respect-UID-and-GID-soft-static-allocation.patch
attachment freeipa-dkupka-0025-3-Respect-UID-and-GID-soft-static-allocation.patch
attachment freeipa-dkupka-0025-4-Respect-UID-and-GID-soft-static-allocation.patch
attachment freeipa-dkupka-0025-5-Respect-UID-and-GID-soft-static-allocation.patch
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.1.1
Login to comment on this ticket.