3

We use Puppet to manage our Linux desktop machines and SSSD to authenticate our users against a central authentication system. Recently when setting up a few new machines we found that puppet was halting in the middle of installing software packages. The culprit was the kdm package, which tries to add a local 'kdm' user when recently a 'kdm' username was added to the central authority.

Normally I see this problem handled with a namespace-dividing mechanism (such as Windows domains), but my short time in Linux administration doesn't really help me figure out a good way to do this.

I can figure out maybe a few general ideas of how to fix this (in most elegant to least elegant):

  1. Figure out an good way to divide up system usernames from central usernames so such future conflicts won't be a problem.
  2. Use some flag for dpkg to force the kdm package to add a different username (or to use nobody).
  3. Force dpkg to add the user. This won't allow the user to login to our systems but there's a good possibility this won't be an issue anyway.

Of course, (2) and (3) don't fix the underlying issue, but if a solution in the vein of (1) is particularly damaging to our current setup, something like (2) or (3) may be more preferable.

OEP
  • 183
  • 9

1 Answers1

5

Come up with a better user naming scheme... (or force "kdm" to use different login credentials)

I've had to learn this lesson over the years as I inherited commercial Unix systems with three-letter usernames. Moving those servers to Linux exposed conflicts with system service accounts. The worst case was Randy P. McDonald, or userID "rpm". The RPM package manager in Redhat-based systems uses the "rpm" account.

Other conflicts occurred over time. Usernames "adm", "lp" and "ftp" have been problems at time.

My permanent fix was to revise the user naming scheme to be more robust. Three-initials is not that scalable.

This is part of knowing your environment. You use desktop Linux (presumably with KDM as a Window Manager instead of Gnome), and the "kdm" user is key to that from a permissions and systems operation standpoint.

Any changes you make to the individual package or dpkg would require you to remember that step as you upgrade systems, move to new OS versions, etc. Adding the user will probably result in funky permissions.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • Unfortunately we do not control the central authentication, so I am afraid we just have to deal with it. I guess it's /possible/ we could petition a change because presumably it's more than just us who are affected. – OEP Mar 22 '13 at 20:55
  • @OEP Ultimately you *must* change your centralized username convention (sorry, but them's the breaks) - It's not hard to avoid colliding with "standard" usernames (first initial + last name is usually conflict-free, though you need to resolve John and Jane Doe on your own then). Your (2) and (3) options from the question aren't viable - they make your environment strange-and-different compared to standard Ubuntu systems, and break cross-package assumptions. – voretaq7 Mar 22 '13 at 21:34
  • Also, at least on one Ubuntu 10.04 workstation I manage, there is no `kdm` user, since there is no KDM package installed. If you just have to have a `kdm` username for a real person, just don't install KDM, and use a different display manager. – Mike Renfro Mar 23 '13 at 01:39
  • @MikeRenfro I'm assuming the original poster needs KDM as a window manager. He specified "Linux desktop". – ewwhite Mar 23 '13 at 02:28
  • That's certainly possible. But I was hoping the company had the option to replace display managers instead of firing Mr./Mrs. KDM or forcing him/her to get a name change. They might run into a similar problem with GDM, less likely with XDM. And problem solved if they switch to LXDM or abandon display managers entirely. – Mike Renfro Mar 23 '13 at 02:32
  • @voretaq7 I should probably state that three-letters is not the standard username assignment. In truth I don't know how it all works but it seems pretty free form. – OEP Mar 23 '13 at 04:12
  • 1
    @ewwhite Actually KDE is not the window manager (it's XFCE) though we have apps that depend on KDE being present -- I'm sure the same arguments apply though. In truth, I think the best thing is to pass the buck to central IT and see if they can squeeze in a name change before that account really becomes active. – OEP Mar 23 '13 at 04:12
  • Regardless, KDE apps don't require KDM to function. KDM just runs a login screen. – Mike Renfro Mar 23 '13 at 04:28
  • Oops, yeah I was confused when someone said window manager. We do use KDM as our login manager. – OEP Mar 23 '13 at 07:13
  • @OEP free-form usernames are either the best or the worst scheme (on the one hand people can have the username they want, on the other, when you tell them "You can't be `kdm` they get all pouty because nothing is written down saying why they no can has :-) – voretaq7 Mar 23 '13 at 19:48
  • In case anyone was curious, here's what we did. Changing the username or even the username-picking scheme was not an option for us since it's over our heads. Instead we force the addition of the kdm user using a custom script. As long as 'kdm' is indeed a system user, the .deb post-install script won't encounter a nonzero exit code (thrown by 'adduser' previously) and therefore will gladly install the package. It's a hack but it works for our situation. – OEP Mar 26 '13 at 17:26