Thank for the info.
With the potential of hard coded GID's and the results of OS upgrades
reverting the values, we decided not to alter GID's to a common value.
Instead, Unicenter will be configured with a master security server over
OS specific servers providing security access to the client machines.
Thanks again
Stephen Waelder
----------
Original Post:
To: 'sun-managers@eecs.nwu.edu'
Subject: Questions regarding matching UID's & GID's between Solaris and
HP-UX
I am trying to head off any problems and surprises that this may cause.
Does anyone have any experience with modifing the UID's and GID's of a
Solaris system to match that of a HP-UX. We are implementing
CA-Unicenter
security which will serve both HP and Sun Sparc clients. But some
accounts
don't match:
Account UID GID
Sun / HPUX Sun / HPUX
root 0 / 0 1 / 3
daemon 1 / 1 1 / 5
What is the best procedure to sync these up?
What impact can be expected on OS and Applications?
What symptoms should we watch out for should things go wrong?
TIA.
----------
Responces:
From: djohnson@nbserv2.dseg.ti.com[SMTP:djohnson@nbserv2.dseg.ti.com]
Sent: Thursday, January 30, 1997 1:56 PM
To: Waelder, Stephen
Subject: Re: Questions regarding matching UID's & GID's between Solaris
and HP-UX
you will also have problems just between sunos and solaris
regarding sys/bin, and these are much worse in that they
are UID conflicts, not GID.
I don't think you will have any significant problems; at least
I have not, except for the sunos/solaris mail host conflicts
caused by sys/bin. if HP has any UIDs that conflict, you
probably should not have HPs use the same mail [file] server
as Suns. since my HPs have local mail, I would not know if
this is a problem or not.
configure all your machines to use "files nis" search order
for passwords and groups.
----------
From: Rich Kulawiec[SMTP:rsk@itw.com]
Sent: Thursday, January 30, 1997 3:10 PM
To: Waelder, Stephen
Subject: Re: Questions regarding matching UID's & GID's between Solaris
and HP-UX
Hoo boy. I've been through this mill before -- but that was many years
ago.
The good news is that you don't need to change UID's, just GID's, and
that all by itself will keep the headaches down to a dull roar.
The bad news is that thanks to HP's departure from de facto standards,
it's reasonably likely that the concept that "root's gid = 1" and
"daemon's
gid = 5) are going to be hard-coded into (a) other HPUX programs
(b) third-party HPUX applications and/or (c) installation
procedures/scripts
for either (a) or (b).
That means that bits and pieces of software running on your machine area
likely to squawk because they don't have the permissions they need, or
because they've no longer able to interoperate with other bits of
software
that have either "3" or "5" hardwired into them. The long-term impact
of
this is that whenever you install a new software package, or apply a
patch,
or do just about anything *other* than installing locally-developed
software,
you're going to have to be alert for this. (When I went down this road,
we integrated uid/gid entries across BSD, Ultrix, SunOS, and a few other
systems; but our lives were easier because we had all the source code.)
The best procedure? There are various programs floating around the 'net
to do uid/gid swapping en masse, but they're more than you need; you
should
be able to accomplish the switch with appropriate combinations of find
and chgrp. (And I'd definitely change things on HP side, leaving
the Sun side alone.) It doesn't look like it applies here, but when
doing big uid/gid swaps, it's important not to cause a race condition
wherein A->B->C->A -- and by the way, that's the design motivation for
some of the uid/gid swapping programs that I mentioned above, since they
neatly account for that problem and solve it.
Cheers,
---Rsk
Rich Kulawiec
rsk@itw.com
----------
From: Ric Anderson[SMTP:ric@rtd.com]
Sent: Thursday, January 30, 1997 4:46 PM
To: Waelder, Stephen
Subject: Re: Questions regarding matching UID's & GID's between Solaris
and HP-UX
FWIW, part of the standard Solaris setup where I work is to switch
root's password file gid to 0 so files don't cet created with group
"other" by default.
No ill effects.
Ric (<ric@rtd.com> "Ric Anderson", using RTD's public internet access)
----------
From: Jacques Rall[SMTP:jacques.rall@za.eds.com]
Sent: Friday, January 31, 1997 3:44 AM
To: Waelder, Stephen
Subject: RE: Questions regarding matching UID's & GID's between Solaris
and HP-UX
I'm also interested to know.
Thanks
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:44 CDT