MacPorts is hijacking account on MacOSXServer
David L Ballenger
dlb at davidlballenger.com
Mon Jul 25 15:26:57 PDT 2011
On Jul 25, 2011, at 2:09 PM, Rainer Müller wrote:
> On 2011-07-25 21:44 , Rodolfo Aramayo wrote:
>> The latest installation of MacPorts is taking over mobile accounts on
>> MacOSXServer
>
> AFAIK mobile account means they have a home exported over the network?
> I am not sure if it is NIS/yp, but is this a similar solution?
>
They are users created in a Open Directory (LDAP) domain on OS X server.
They can have network home directories that can be mounted via AFP when
a user logs into to another system that is joined to the Open Directory
domain. These user accounts can be created by Server Preferences (Snow
Leopard Server) o WorkGroup Manager (Snow Leopard Server and Lion).
The Open Directory Administrator account has a UID of 1000 and Open
Directory User UIDs start at 1025 and go up.
A mobile account is a a variant of this that allows the user to have a
local home directory set up when logging into a connected system
rather than mounting their home directory via the network. This is useful
on laptops connected to the domain. If the user selects to have a local
home directory, a local account is also created with the same UID as in
the Open Directory domain. The local account also get some other information
in it that is used to authenticated to the domain.
The fact that is gets a local account with the same UID as the Open Directory
account is I think contributing to the issue. See below.
>> Obviously the installer does not determine the presence of 'mobile'
>> accounts and finds the next available UniqueID number available and
>> assigns it to the 'macports:staff'
>
> The same method has been used for years now to create new system users
> for Portfiles. So if you installed anything which required a new user,
> you would have run into this problem before, for example the messagebus
> user for dbus, polkituser for policykit or mysql for mysql4/mysql5.
>
> If this method is really a problem, you already that before 2.0.0.
I'm assuming that the process is to find the highest unused UniqueID in
the local directory and use the next ID. For systems with with no mobile
accounts and not a lot of users that's probably somewhere in the 500's.
I just did a port selfupdate on several systems. They all were setup with
a local administrator account which has UID 501, i.e. it was the first user
account created.
My Open Directory master (Snow Leopard Server), hosts the network accounts
but OD users don't login as mobile users on this system. Thus no Users in
the local domain with UniqueIDs above 1000. Here the macports users was
created with a ID in the low 500's.
On my laptop, which is connected to my Open Directory domain, my personal
account is set up as a mobile accoun, which means I have an account int the
local domain with a UID of 1025 and macports got an ID of 1026. That meant
that the Open Directory user with that ID (my wife) could no longer log into
her network account using my laptop. I manually changed the macports UniqueID
to an unused ID in the 500's and she could log in via my laptop again.
Maybe a solution is to have macports look for an unused ID below 1000. Of course
that might not work it a system has 500 local accounts.
- David
More information about the macports-dev
mailing list