RE: Re: Re: Re: Re: Re: Updating uid/gid of existing user


#1

I came across the same need when I migrated a network a while ago to Samba/winbind-based authentication.

The solution is indeed what Jeff had recommended: use the find command and the chown command. You can do it all in a single line (per user). The script needs as input the old UID (obviously), and either the new uid, or a way to resolve it.

You can do it automatically in chef with a script resource.

There are a couple pitfalls. One I can think of: group memberships may also need to be updated, especially if you are transitioning to a different authentication mechanism the way I did. If you stick with just /etc/passwd and /etc/group a simple change of UID should not affect group memberships (because group membership is managed by name, not by UID).

If the affected users are system users, you may also run into issues of services running with the wrong uid.

If I remember right, some iptables modules allow you to specify rules that involve the uid.

Bottom line: try to use the find/chown approach, but be prepared for stuff to break.

Kevin Keane

The NetTech

http://www.4nettech.com

Our values: Privacy, Liberty, Justice

See https://www.4nettech.com/corp/the-nettech-values.html

-----Original message-----
From: Nils-Helge Garli Hegvik nilsga@gmail.com
Sent: Wednesday 17th December 2014 14:43
To: chef@lists.opscode.com
Subject: [chef] Re: Re: Re: Re: Re: Updating uid/gid of existing user

Thank you for the replies. I’m aware of the difficulties. Just wanted
to check if someone had handled this with chef already. It’s a third
party package, so I would like to avoid rebuilding the package to hard
code the uid there. And it would still require the same manual
handling I guess, since the user already have different uids on
different nodes.

Regards,

Nils-Helge Garli Hegvik

On Wed, Dec 17, 2014 at 4:55 PM, Eric Herot eric.opscode@herot.com wrote:

Think of the user ID as being basically the “primary key” for a user object.

This stack overflow post explains pretty well why primary keys are
notoriously difficult to update (and why doing so is generally a bad idea):

http://stackoverflow.com/questions/3838414/can-we-update-primary-key-values-of-a-table

I take it the real requirement here is that this user must have the same UID
across all nodes in the cluster. Is it possible to specify the UID you want
to use in the package seed data so that it always uses the same (hard-coded)
ID upon install? Of course this will deal with new installations but
existing installs are probably still going to be a bit of a manual process
(like the one Jeff describes below).


Eric

On December 17, 2014 at 9:33:38 AM, Jeff Blaine (jblaine@kickflop.net)
wrote:

On 12/17/2014 7:28 AM, Nils-Helge Garli Hegvik wrote:

Yeah, that part I have figured out. The issue is what happens to files
owned to the previous uid/gid, that is not in the user home folder.

Nils-H

Hi Nils,

No, the user resource does not address this. This is when a human is the
tool for the job. You will need to manually, one-time, address this on
your systems via (most likely) various invocations if the 'find’
command. You have uncovered a lack of previous planning (centralized
directory services and/or UID/GID policies) and now get to rectify it
once and for all, but there’s no magic tool to help you unwind legacy.

An analogy is, “I have 3 MySQL databases. Will the PostgreSQL cookbook
code find them on the network and migrate them to PostgreSQL?” :slight_smile:

Jeff

On Wed, Dec 17, 2014 at 1:20 PM, Tiago Cruz tiago.tuxkiller@gmail.com
wrote:

You can “force” in your recipe like this:

group “deployer” do
gid "501"
end

user “deployer” do
uid "501"
group "deployer"
comment "deployer"
end

On Wed, Dec 17, 2014 at 6:08 AM, Nils-Helge Garli Hegvik
nilsga@gmail.com
wrote:

Hi!

I need to take control over a user created by a package that is
installed in our syste, so it does not change between
uninstall/install. Therefore, I want to use the “user” resource to
define a uid and gid for this user, so it is already created/modified
before the package is installed. The problem is, the user already have
different uid/gid between different nodes, so I can’t really just find
the current uid and then set it to that uid. For some nodes, this will
cause the uid of the user to change. So, the question is, how do I
handle ownership of existing files and directories where this will
cause the uid to change? For files in the home folder, this is handled
automatically by the ‘usermod’ command, but not so for files
elsewhere. I assume someone has come across this issue before, so how
did you handle it? Can the current “user” resource handle this, or
does a recipe exist that can handle this?

Regards,

Nils-Helge Garli Hegvik


– Tiago Cruz


Jeff Blaine
kickflop.net
PGP/GnuPG Key ID: 0x0C8EDD02