CentOS - Oct 2020 - UID/GID CentOS 6 to CentOS 7

Hi,

we are upgrading some servers from C6 to C7 with a lot of user accounts 
on them (UID>=500).
CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.

Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So I 
could just grep the users out from passwd/shadow/group files and append 
them to the Centos7 passwd/shadow/group files.
Can this do any damage to CentOS7 later on? Thinking about updates....

Thanks,
Thomas

On Thu, Oct 22, 2020 at 2:12 PM Thomas Plant <thomas at plant.systems>
wrote:
> Hi,
>
> we are upgrading some servers from C6 to C7 with a lot of user accounts
> on them (UID>=500).
> CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.
>
> Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So I
> could just grep the users out from passwd/shadow/group files and append
> them to the Centos7 passwd/shadow/group files.
> Can this do any damage to CentOS7 later on? Thinking about updates....
>
> Thanks,
> Thomas

reading official doc here for upstream:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-managing_users_and_groups

"
Important

The default range of IDs for system and normal users has been changed in
Red Hat Enterprise Linux 7 from earlier releases. Previously, UID 1-499 was
used for system users and values above for normal users. The default range
for system users is now 1-999. This change might cause problems when
migrating to Red Hat Enterprise Linux 7 with existing users having UIDs and
GIDs between 500 and 999. The default ranges of UID and GID can be changed
in the /etc/login.defs file.
"

and also here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/migration_planning_guide/chap-red_hat_enterprise_linux-migration_planning_guide-major_changes_and_migration_considerations#sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-System_Management-Changes-to-system-accounts

"
The default ranges of UID and GID can be manually changed in the
/etc/login.defs file.
"
It seems you can safely change the settings in your CentOS 7 system. I
think no new effective system users/groups already occupying the new range
slots...
HIH,
Gianluca

> Hi,
>
> we are upgrading some servers from C6 to C7 with a lot of user accounts
> on them (UID>=500).
> CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.
>
> Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So I
> could just grep the users out from passwd/shadow/group files and append
> them to the Centos7 passwd/shadow/group files.
> Can this do any damage to CentOS7 later on? Thinking about updates....
When I did an upgrade from CentOS 5 to 7 I found that even a standard
install of CentOS 7 already used a number of GIDs in the range of 500-999.

In the end I decided to rearrange all users to new UIDs/GIDs and converted
all storage with a script.

The tricky part was to find a way which doesn't take ages to convert
storage. Doing so with find.... wasn't possible for performance reasons.

Attached script was used to convert every user. It was the fastest way I
found. The script was started in background for every user.

Regards,
Simon

>> Hi,
>>
>> we are upgrading some servers from C6 to C7 with a lot of user accounts
>> on them (UID>=500).
>> CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.
>>
>> Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So I
>> could just grep the users out from passwd/shadow/group files and append
>> them to the Centos7 passwd/shadow/group files.
>> Can this do any damage to CentOS7 later on? Thinking about updates....
>
> When I did an upgrade from CentOS 5 to 7 I found that even a standard
> install of CentOS 7 already used a number of GIDs in the range of 500-999.
>
> In the end I decided to rearrange all users to new UIDs/GIDs and converted
> all storage with a script.
>
> The tricky part was to find a way which doesn't take ages to convert
> storage. Doing so with find.... wasn't possible for performance
reasons.
>
> Attached script was used to convert every user. It was the fastest way I
> found. The script was started in background for every user.
Looks like attachments are stripped from the mail, so here is the script
embedded:

----%<----
#!/bin/bash

if (( $# < 3 )); then
  echo "Usage: $0 <username> <new uid> <dir>
[<dir>...]"
  echo "Example: $0 user1 1000 /tmp /etc /usr /opt /var /home"
  exit 1
fi

USR=$1
NEW_UID=$2
NEW_GID
shift 2
DIRS=$@

OLD_UID=$(id -u $USR)
OLD_GID=$(id -g $USR)

if [[ -z "$NEW_GID" ]]; then
  NEW_GID=$NEW_UID
fi

echo "modifying user $USR ids ${OLD_UID}:${OLD_GID} ->
${NEW_UID}:${NEW_GID} on $DIRS"

# Note: usermod changes ownership of at least $HOME and
/var/spool/mail/${USR}
groupmod -g $NEW_GID $USR
usermod -u $NEW_UID -g $USR $USR

chown --changes --silent --no-dereference --preserve-root --recursive
--from=:${OLD_GID} :${NEW_GID} $DIRS
chown --changes --silent --no-dereference --preserve-root --recursive
--from=${OLD_UID}   ${NEW_UID} $DIRS
----%<----

Am 22.10.2020 um 14:11 schrieb Thomas Plant:
> Hi,
>
> we are upgrading some servers from C6 to C7 with a lot of user 
> accounts on them (UID>=500).
> CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.
>
> Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So I 
> could just grep the users out from passwd/shadow/group files and 
> append them to the Centos7 passwd/shadow/group files.
> Can this do any damage to CentOS7 later on? Thinking about updates....
>
> Thanks,
> Thomas
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
Thanks, for the hints.

Think I will go the lazy way and adapt login.defs. ;-)

Greetings,
Thomas

On 10/22/2020 6:06 AM, Simon Matter wrote:
> In the end I decided to rearrange all users to new UIDs/GIDs and converted
> all storage with a script.
I'm rsyncing to an RH8 box for backup (it will eventually become the 
production box), and rsync maintains usernames even when the numeric IDs 
are different. So I cobbled together some Python scripts to migrate the 
users and groups from my RH7 boxes (which still has some IDs below 1000) 
to my RH8 box. I decided to export all the passwd files into json and 
then import them with a second script on the new box. I'm new to Python 
so this gave me motivation to learn a bit of it. Patches welcome.

https://github.com/SpareSimian/user-group-migration

On Thu, 2020-10-22 at 15:13 +0200, Thomas Plant wrote:
> Am 22.10.2020 um 14:11 schrieb Thomas Plant:
> > Hi,
> > 
> > we are upgrading some servers from C6 to C7 with a lot of user 
> > accounts on them (UID>=500).
> > CentOS 7 has MIN_UID/MIN_GID 1000, Centos 6 has 500 in login.defs.
> > 
> > Can I change in /etc/login.defs MIN_UID/MIN_GID to 500 for C7? So
> > I 
> > could just grep the users out from passwd/shadow/group files and 
> > append them to the Centos7 passwd/shadow/group files.
> > Can this do any damage to CentOS7 later on? Thinking about
> > updates....
> > 
> > Thanks,
> > Thomas
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> 
> Thanks, for the hints.
> 
> Think I will go the lazy way and adapt login.defs. ;-)
> 
> Greetings,
> Thomas
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
You better don't do that: 
when I looked at one of my C8 boxes there were many services that
require a system account (but not a global fixed one) were allocated
from the top of the 500-999 range. Bite the bullet and  change user
accounts. to start from 1000.  Especially when using NFS this may
otherwise come back and bite you