Human Readable - Modifying User and Group IDs to Support a Home Network


	Human Readable

	GNU/Linux Journal How-Tos and Essays A Slackware Desktop Enhancement Guide Home

	Modifying User and Group IDs to Support a Home Network © Copyright Darrell Anderson. When I installed Slackware on my first box I created various user accounts and group names. When I acquired a second box, I repeated the routine. All was well until I decided to network the boxes. I then discovered what is probably a common problem in this type of expansion project. I had established unique human readable user and group names, but allowed the system to automagically assign the underlying UIDs and GIDs. For stand alone boxes this is fine, but on a network, as I discovered, this is called an Oops. My approach created the interesting problem in that UID 100 on Box 1 can see and modify the files on Box 2 owned by UID 100, although the human readable user names are different. The reason is that to the system the UID and GID are the true identifiers, not the human readable names. For a home or small office network this problem might seem insignificant. Yet, even in a home or small network, users expect a degree of privacy with respect to their personal files. My challenge after discovering this Oops was to find a remedy. Fortunately I needed to modify only a couple of accounts and groups. Bits and pieces for solving this problem are available online, but I found no straightforward instructions for resolving this particular challenge. After accumulating sufficient information and then testing on my own network, I decided to write this mini how-to—both to remind myself of the solution and to help others. I suspect I am not the first person to run into this cute little challenge and this guideline should benefit many people. Realize that in large networks various options are available to create, synchronize, and maintain unique account and group IDs, such as LDAP (Lightweight Directory Access Protocol), NIS (Network Information Service), etc. Those options probably are overkill for a small home LAN. If any synchronization is needed, probably a simple script would suffice. For most people managing a small network, however, the key to solving this problem is understanding how to proceed in a methodical manner. There are four files that maintain the data for user and group IDs: /etc/group /etc/gshadow /etc/passwd /etc/shadow One could directly edit these files to modify user and group IDs, but there is a better and safer method and that is to use some handy commands. To modify the IDs use groupmod and usermod. However, merely modifying the group and user IDs is not the end of the story, which was a lesson I learned the first time I modified some user and group IDs. The clincher, which is not obvious from the many helpful tutorials online is that the file permissions of the entire system must be updated to the new user and group IDs. For that the find, chown, and chgrp commands come to the rescue. The first step is investigate the user and group IDs on each box that needs to be modified. Then compare those lists to determine which user and group IDs you will modify. Here is the approach I used successfully: I created a written table of the user names, groups names, current IDs and new IDs. I used Kompare to find the differences between the /etc/group files on my two boxes. That file contains both user and group ID information. All of the group IDs less than 100 should be exactly the same if you are using the same GNU/Linux distro. Each user account is assigned to a primary group. That primary group typically has the same name as the user account. I modified each user-based primary group GID: groupmod -g new_gid userprimarygroupname I then ensured that the user ID was still assigned to the previous primary group: usermod username -g userprimarygroupname Next I modified each user’s UID: usermod -u new_uid username I then modified all system files to the appropriate UID/GID: find / -uid old_uid -exec chown username {} \; find / -gid old_gid -exec chgrp userprimarygroupname {} \; I then test each account by logging in. For example, I have some user accounts on Box 1 with users IDs 500 and 501. Likewise on Box 2. I do not want those users having access to the same IDs on the opposite box. I decide to modify users 500 and 501 on Box 2. By coincidence, the group IDs are the same as the user IDs. This is probable on a small home network although unlikely on a large network. Pretend the account names are Laverne and Shirley, respectively. I decided to assign user and group IDs that will not clash with any accounts on Box 1. I modified each user-based primary group GID: groupmod -g 505 laverne groupmod -g 506 shirley I then ensured that the user ID was still assigned to the previous primary group: usermod laverne -g laverne usermod shirley -g shirley Next I modified each user’s UID: usermod -u 505 laverne usermod -u 506 shirley I then modified all system files to the appropriate UID/GID: find / -uid 500 -exec chown laverne {} \; find / -gid 500 -exec chgrp laverne {} \; find / -uid 501 -exec chown shirley {} \; find / -gid 501 -exec chgrp shirley {} \; Be forewarned that performing this task is best when the users are not logged in to the system. Additionally, searching the entire files system takes several minutes per user on older hardware. If performing the find and file ownership modifications in one fell swoop daunts you, then first perform a system search and redirect the output to a text file. You then can inspect that file to your satisfaction. For example, find / -uid 500 > ~/uid_500.txt. There additional modifications needed if your users have cron table or at entries. Lastly, I tried using kuser (KDE 3.4.3), but on testing the user’s login, login/bash reported no /home directory found. That told me that kuser does not modify the file permissions on the user’s home directory. Additionally, kuser provides no way to modify group IDs, nor any means of modifying system files to the new IDs. Although kuser is a handy utility to add new and modify existing accounts, the command line is the better solution to solve this little problem. Finis. Table of Contents


	GNU/Linux Journal How-Tos and Essays A Slackware Desktop Enhancement Guide Contact Me Terms of Use Search Home