On 7/24/19 8:20 AM, Ulrich Windl wrote:
Still what's unclear: Was the question more like "s/5000/10000/" (and back), or was it more like "GIG_local = GID_global - 5000" (and reverse)?
I'm not the original poster.
But let's assume you have GIG 5000 in your file system as group ownership but this does not exist in your directory. Now when accessing the file the system has to know which users are members of the group referenced by GID 5000.
Let's further assume that you have a posixGroup entry with gidNumber=10000 in your directory which has the required member set for your access control needs based on GID 5000. So you might want to let the NSS client see this posixGroup and its members as having gidNumber=5000 (kind of a different ID view).
There are more complicated use-cases like conflicting ID ranges after company merger. This is was DBIS addresses by implementing a custom schema and custom NSS client.
Anyway, I'd rather recommend to bite the bullet and clean up the ID mess, no matter how hard it looks like. Because if you don't then you'll pile up a huge mess of technical depths nobody can really control. And that's a real security issue.
Ciao, Michael.