We have an internal webserver that writes some documents to the NFS-Share of our office users. Before we introduced UCS this was pretty simple (just add www-data to the group “office”), but since we introduced UCS we had some problems, as www-data is a system user which can’t be added to LDAP groups.
As a workaround I replicated the group manually as a system-group:
root@example:~# id www-data
uid=33(www-data) gid=33(www-data) Groups=33(www-data)
root@example:~# id bob
uid=2009(bob) gid=5001(Domain Users) Groups=5001(Domain Users),5056(office)
root@example:~# vim /etc/group
...
office:x:5066:www-data
root@example:~# id www-data
uid=33(www-data) gid=33(www-data) Groups=33(www-data),5056(office)
Now www-data can access the “office” NFS-Share on the server “example”. It works, but feels like a hack, and I have no clue which unintended consequences this might have*. Perhaps It’ll make the LDAP throw errors, or something like that? Is there a better way to grant www-data access to the share?
*asides the securtiy concerns that www-data can access the office share, of course.