On Sat, Aug 09, 2008 at 10:28:25PM -0400, Glenn Brunette wrote: > I have seen this although admittedly on Solaris 10 and earlier not on > OpenSolaris with IPS. At a number of recent customers I found accounts > like "web", "ldap", etc. who had up to 3 or 4 different UIDs across > about 200 systems. Again, this is partly an awareness and education > effort, but it is happening enough that we need to at least not dismiss > the issue in our deliberations.
For accounts like "openldap" which should have local storage (or remote only through iSCSI, but not through NFS) such variation in local reserved IDs across many systems should be irrelevant. And if need be Solaris could enforce that dynamically allocated local IDs are not used over the wire in AUTH_SYS/NFSv2/3. But if the assumption of local (or remote only through iSCSI) storage doesn't hold then dynamic assignment of reserved IDs must be thrown out. I think we should look first into raising the reserved ID limit as that seems to be the simplest, though somewhat risky solution. If we must reject that, then we should look into ephemeral IDs. But note how eph IDs almost necessarily imply local-only storage: certainly they can't be used in AUTH_SYS and NFSv2/3, which means... NFSv4 and RPCSEC_GSS, which for regular GSS-API mechanisms also implies a significant credential management cost (since multiple local accounts would need credentials), or the cost of adding new GSS pseudo-mechanisms to lower that credential management cost. Nico --
