Magnus Holmgren
2020-May-04 21:18 UTC
[Samba] default backend = rid not showing full group information for users
m?ndag 4 maj 2020 kl. 22:22:04 CEST skrev Rowland penny via samba:> On 04/05/2020 21:06, Magnus Holmgren via samba wrote: > > m?ndag 4 maj 2020 kl. 20:45:37 CEST skrev Rowland penny via samba: > >> On 04/05/2020 19:24, Magnus Holmgren via samba wrote: > >>> The systemd NSS module handles dynamically allocated users and groups > >>> when > >>> a unit has DynamicUser=true. See systemd.exec(5). > >> > >> Care to say where that would be used ? > > > > Wherever you want, I guess. I think the idea is to isolate network > > services > > better from each other than if you run them as nobody. > > So you don't actually know of a case where it could be used, I will just > stick to removing 'systemd' from nsswitch.conf, others can do as they wish.I thought you were asking for a use case. No, if you don't have any systemd units that make use of the dynamic user feature, you don't need to include that NSS module. Strictly speaking, you don't need it even you do use that feature; that just means you can't translate the uids and gids, but since they are ephemeral and not supposed to own any files, other than possibly temporary ones, I don't see how that's much of a loss. BTW I should have said that the idea is to isolate multiple instances of the same service from each other. Different services preferably run under different normal accounts. -- Magnus Holmgren holmgren at lysator.liu.se -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200504/23dba2b2/signature.sig>
Rowland penny
2020-May-05 07:31 UTC
[Samba] default backend = rid not showing full group information for users
On 04/05/2020 22:18, Magnus Holmgren via samba wrote:> m?ndag 4 maj 2020 kl. 22:22:04 CEST skrev Rowland penny via samba: >> On 04/05/2020 21:06, Magnus Holmgren via samba wrote: >>> m?ndag 4 maj 2020 kl. 20:45:37 CEST skrev Rowland penny via samba: >>>> On 04/05/2020 19:24, Magnus Holmgren via samba wrote: >>>>> The systemd NSS module handles dynamically allocated users and groups >>>>> when >>>>> a unit has DynamicUser=true. See systemd.exec(5). >>>> Care to say where that would be used ? >>> Wherever you want, I guess. I think the idea is to isolate network >>> services >>> better from each other than if you run them as nobody. >> So you don't actually know of a case where it could be used, I will just >> stick to removing 'systemd' from nsswitch.conf, others can do as they wish. > I thought you were asking for a use case. No, if you don't have any systemd > units that make use of the dynamic user feature, you don't need to include > that NSS module. Strictly speaking, you don't need it even you do use that > feature; that just means you can't translate the uids and gids, but since they > are ephemeral and not supposed to own any files, other than possibly temporary > ones, I don't see how that's much of a loss.OK, I will try this another way, just what are 'dynamic users' and what would you use them for ? I have only been using Linux since shortly after Linus released it and I have never used a 'dynamic user' or felt the need to. Rowland
Magnus Holmgren
2020-May-05 17:57 UTC
[Samba] default backend = rid not showing full group information for users
tisdag 5 maj 2020 kl. 09:31:08 CEST skrev Rowland penny via samba:> > I thought you were asking for a use case. No, if you don't have any > > systemd > > units that make use of the dynamic user feature, you don't need to include > > that NSS module. Strictly speaking, you don't need it even you do use that > > feature; that just means you can't translate the uids and gids, but since > > they are ephemeral and not supposed to own any files, other than possibly > > temporary ones, I don't see how that's much of a loss. > > OK, I will try this another way, just what are 'dynamic users' and what > would you use them for ? > > I have only been using Linux since shortly after Linus released it and I > have never used a 'dynamic user' or felt the need to.It's explained on the man page. It's just a UID/GID pair systemd allocates from the range 61184...65519, but a few other security features are implied, such as private /tmp and readonly file system. http://man7.org/linux/man-pages/man5/systemd.exec.5.html#OPTIONS -- Magnus Holmgren holmgren at lysator.liu.se -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200505/0fc05f73/signature.sig>
Reasonably Related Threads
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users
- default backend = rid not showing full group information for users