-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
man: clarify subid delegation #345
Conversation
Thanks Iker. There are some consequences for local user tools when you configure NSS module, would be great to document those. |
18be1ad
to
2c135a0
Compare
Clarify that the subid delegation can only come from one source. Moreover, add an example of what might happen if the subid source is NSS and useradd is executed. Related: shadow-maint#331
2c135a0
to
d5b15f8
Compare
Thank you! |
Does useradd fail with NSS set? This should only happen if SUB_UID_COUNT != 0 in login.defs. The comment suggests that useradd and groupadd are not possible at all with NSS. That should be fixed. If it isn't, please open a bug. |
Let me review it and I'll come back with a clarification by the beginning of next week. |
I've been testing it and the results don't match with what I wrote in the man page:
Thus, I would propose to change the man page again. Instead of writing
I'd propose to write
@hallyn @alexey-tikhonov what are your thoughts? |
|
Should we rather fail completely in such a case? It feels that's cleaner. |
That's more or less what I've been asking in #331 But it's perfectly legitimate to have users from different databases on a single host. So I don't think we should disable local user manipulation tools entirely in this case. |
Oh. That wasn't my intent, indeed. Can we agree that if |
I don't have strong opinion if it should fail with Imo, at the moment it's enough to carefully document current state. |
I agree with Alexey that for the moment documenting the current state should be enough. Besides, once users start using this feature I think that we'll get their feedback and we can take a more definitive decision regarding this problem. |
Following the discussion shadow-maint#345 I have changed the documentation to clarify the behaviour of subid delegation when any subid source except files is configured.
Following the discussion shadow-maint#345 I have changed the documentation to clarify the behaviour of subid delegation when any subid source except files is configured.
Following the discussion shadow-maint#345 I have changed the documentation to clarify the behaviour of subid delegation when any subid source except files is configured.
Clarify that the subid delegation can only come from one source. This work is based on #331 (comment)
Related: #331