Description of problem:

The uid/gid allocated for user/group pkiuser is 17:

# rpm -qf /usr/share/doc/setup-2.8.71/uidgid
setup-2.8.71-4.el7.noarch
# grep pkiuser /usr/share/doc/setup-2.8.71/uidgid
pkiuser 17      17      /usr/share/pki          /sbin/nologin   pki-ca,rhpki-ca
#

The user is not created by rpm scriptlets even if it probably should to comply
with
https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation.
There is a bug 1143067 about that issue.

However, the user is created (maybe as a workaround for it not being created by
rpm) upon ipa-server-install run:

# grep pkiuser /etc/passwd /etc/group
# ipa-server-install

The log file for this installation can be found in
/var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

[...]

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
# grep pkiuser /etc/passwd /etc/group
/etc/passwd:pkiuser:x:994:993:CA System User:/var/lib:/sbin/nologin
/etc/group:pkiuser:x:993:
#

The uid, gid, and home directory do not match the allocated values from uidgid.

Looking at the log,

# grep pkiuser /var/log/ipaserver-install.log
2014-09-23T10:06:29Z DEBUG adding ca user pkiuser
2014-09-23T10:06:29Z DEBUG args=/usr/sbin/useradd -c CA System User -d /var/lib
-s /sbin/nologin -M -r pkiuser

it seems to be created by
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py.

Version-Release number of selected component (if applicable):

ipa-server-3.3.3-28.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Before ipa-server-install is run, check for pkiuser in /etc/passwd.
2. Run ipa-server-install, configure IdM.
3. Check for pkiuser in /etc/passwd.
4. Compare the uid, gid, and home directory with values from uidgid file.

Actual results:

Mismatch.

Expected results:

Match.

Additional info: