In my network at home I do have a PC which is the center and runs a LDAP server for the login credentials for all family users to login on the other PCs or laptops. The same PC serves as NFS server too and provides all user homes for the network. All PCs or laptops are running EOS.
Today I ran in a problem with the usergroup users. I found out that all PCs or laptops do have the same numeric GID (985) for that usergroup except two machines (they have 984). Both have been installed lately with the february or april release. All other machines have been installed between september 2019 and march 2020. According to this discussion it seems that this behaviour is quite normal in Linux/Arch today.
The users in the LDAP have two different groups: parents and kids. Parents do have a manually created usergroup with numeric GID 1001. Kids are all in the usergroup users and there user homes belong to the group users. All is stored in the group file of the PC mentioned above and in the LDAP too. The LDAP only exports UIDs and GIDs above 1001.
If one of the kids logs into one of the latest installed machines they get problems because there is a mismatch between the local numeric GID and the numeric GID of the PC which serves as NFS server. First problem that occured was pulseaudio not working, files were stored with wrong GIDs etc.
Now my question: What would be the best way to get out of this problem?
I have two ideas:
I will change on all machines including the PC mentioned above the numeric GID of the usergroup users to 100 which was formerly used for this usergroup in Linux. After this I will have to change the ownership to the new numeric GID for all folders and files that are owned by the usergroup users which might be not that easy because I have to find them all on the different hard drives. May be I have to do that from a live system in chroot?
I will change the rights of user homes of the kids to the different usergroups that were created while creating the users at the initial installation. Then I will have to change the configuration of the LDAP server to have the right usersgroups exported to the whole network. Sounds easier but has the problem that the parents can not open the files of the kids that easy as it was with one usergroup we used before.
Which one do you prefer? Or do you have other ideas?
If you don’t like @jonathon’s solution, can’t you just just change those two machines so the GID of users is 985. Then change the group permissions of the files with 984 to 985?
You could change that one first or you can change all the machines to something unused.
That being said, if you have been sharing files on all these machines without doing any group mapping how do you know which files belong to the group with GID 985 and which are coming from the users group on other machines?
This would be solution 1 in my initial post. Changing the numeric GID to 100 on all machines.
All kids do have only write access to their own home directory. All files in their homes belong to the usergroup users. As the parents do have not the same usergroup as the kids, I do not have that problem with the data of the parents.
That is right, but only if I do not use GIDs that only exist on the local PC or laptop where the kids login. In my case I am using a local GID which is transfered via LDAP to the PCs where the users login. This is the root cause of my problems.
After all your remarks I finally think that the best solution is to change the user rights of the user homes of the kids from kid1:users to kid1:kid1, kid2:kid2 etc. Then I change the configuration in LDAP. This will be better for the future, because I do not know if one day the numeric GID I would have used following solution 1 of my initial post will be used by some system service and causes the same trouble again.
Just for the records: I made that change successfully!
Now every kid has its own group in the group file on the LDAP/NFS server and all the files in the user homes belong to that specific user and group combination. The same numeric GID is configured in the LDAP for the specific users.
To make everything work it is necessary to follow the link @jonathon mentioned above related to NFSv4 ID mapping.
Just a note - I think this is the best thing to do anyway, for other reasons! I don’t know the ages of kid1 and kid2, but it might become better that they not have write permissions on each other’s files! Jes’ sayin’…
