The pkiuser user/group is only created when ipa-server-install is run. That makes it hard to move IPA's data from container to a data volume as in vanilla container the records won't be there.
And if we do this, we could just as well hardcode some reasonable uid. For example, httpd does
/usr/sbin/useradd -c "Apache" -u 48 -s /sbin/nologin -r -d /usr/share/httpd apache 2> /dev/null || :
For pkiuser user:group, uid 17, gid 17 could be used as these were reserved in the Fedora 10 timeframe.
Steps to Reproduce:
1. Install pki-server. 2. Check /etc/group and /etc/passwd for pkiuser.
Actual results:
It's not there.
Expected results:
It should be there.
The process is explained at https://fedoraproject.org/wiki/Packaging:UsersAndGroups in great detail. I used the recipe the create a user and group for kdcproxy in FreeIPA. According to https://git.fedorahosted.org/cgit/setup.git/tree/uidgid uid 17 and gid 17 are still reserved for pkiuser. FreeIPA hard-codes uid/gid 17 in ipaplatform/redhat/tasks.py, too.
We can safely create the user and group ourselves. The installation code in FreeIPA checks, if the group and user exists, before it attempts to create them.
Per CS/DS meeting of 07/13/2015: 10.2.6
Cheimes fix for this bug was checked into the 'master':
commit 417adee8bc0607ccf43f1dd80fc08b870088937b Author: Christian Heimes <cheimes@redhat.com> Date: Wed Jul 15 21:49:16 2015 +0200 Create pkiuser user and group during installation The group 'pkiuser' and user 'pkiuser' are now created during the installation of the pki-server package. https://fedorahosted.org/pki/ticket/1468
Metadata Update from @mharmsen: - Issue assigned to cheimes - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2027
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.