On 7/24/19 8:20 AM, Ulrich Windl wrote:
Still what's unclear:
Was the question more like "s/5000/10000/" (and back), or was it more like
"GIG_local = GID_global - 5000" (and reverse)?
I'm not the original poster.
But let's assume you have GIG 5000 in your file system as group
ownership but this does not exist in your directory. Now when accessing
the file the system has to know which users are members of the group
referenced by GID 5000.
Let's further assume that you have a posixGroup entry with
gidNumber=10000 in your directory which has the required member set for
your access control needs based on GID 5000. So you might want to let
the NSS client see this posixGroup and its members as having
gidNumber=5000 (kind of a different ID view).
There are more complicated use-cases like conflicting ID ranges after
company merger. This is was DBIS addresses by implementing a custom
schema and custom NSS client.
Anyway, I'd rather recommend to bite the bullet and clean up the ID
mess, no matter how hard it looks like. Because if you don't then you'll
pile up a huge mess of technical depths nobody can really control.
And that's a real security issue.