The issue is that we are changing the names and gid numbering of some Unix groups. Some old groups were created with gid numbers that are now conflicting with reserved groups in current releases of operating systems popular in the department, such as Red Hat / CentOS and Ubuntu. Effective June 1, 2017, any IRIS-created group with a gid below 1000 will be renamed “was-XXX” and a new group created with the original name, and the same gid + 10,000. All users will be temporarily added to both groups. Our goal is to make a path now for people to upgrade to the newer groups and sunset the old groups and gids. We hope to have all users migrate their own files to the new groups, or ask IRIS to do it for them, by June 1, 2018, which gives us about 1 year to fully complete the transition. All groups with GIDs below 1000 will be removed from the mammoth group file at that time. (See examples at the end of this message.)
We will also be changing the primary group (the group listed in the passwd file) for all users with a primary gid < 1000, to the new gid for the same group. This may affect users access to un-migrated files since their processes will now run with the new gid. Migrating any files or access controls to the new group numbering scheme should resolve any issues that arise.
On May 23rd, we sent messages directly to affected users informing them about the changes and providing instructions on how to update their files. This targeted email listed the specific group or groups that are changing that affect that user.
Some reminders and updates will be posted on the IRIS website. More detailed updates and discussion can happen on the new moderated mailing list gid-updates@lists.eecs.berkeley.edu. Any interested parties can subscribe by visiting the list’s homepage here: https://lists.eecs.berkeley.edu/sympa/info/gid-updates
Here are some concrete examples.
Currently:
* grad:*:116:
* staff:*:772:
Between June 1 2017, and June 1 2018:
* was-grad:*:116:
* was-staff:*:772:
* grad:*:10116:
* staff:*:10772:
After June 1, 2018
* grad:*:10116:
* staff:*:10772:
UPDATE
[2017-05-31 13:31:47 | Rob McNicholas]
As announced earlier, IRIS will be renumbering Unix groups with GIDs below 1000 on Thursday, June 1 at 8am, and modifying the primary Unix group id for people in the affected groups. We will push the updated groups to NIS and LDAP by 8:15am.
Unix users may not see their updated groups until they logout and login again. Some Linux users may be able to run “newgrp -” to reinitialize their groups without logging out.
Please direct any questions to help@eecs.berkeley.edu
UPDATE
[2017-06-01 10:10:23 | Rob McNicholas]
The Unix groups with GID numbers below 1000 have been renumbered. The old groups have been renamed “was-XXX” and users have been temporarily added to both groups.
System administrators can get a new copy of the current Unix group file from /usr/sww/share/etc/group. This file can be found on login.eecs.berkeley.edu if your system does not mount /usr/sww/share.
These updates are now reflected in the mammoth NIS domain and in LDAP.
UPDATE
[2017-06-19 10:44:50 | Rob McNicholas]
There is one step in this project that has not yet been completed, which is to change the primary group ID (the gid listed in the passwd file) for any people whose primary gid is < 1000. This was delayed while we finished implementing an automatic procedure for future Unix passwd file updates. We will put this new procedure in place on Wednesday, June 21, and simultaneously launch a new self-serve page for updating Unix shells and passwords.
On June 21, 2017 at 8am, the primary gid for any Unix user whose gid is < 1000 will be updated to the new gid (old gid + 10,000). Users will still remain in both groups, but their default, primary gid will change. Any problems related to loss of access can be easily fixed by checking the ACLs (if using Windows) or using the Unix chgrp command to change the group of the problematic files or directories from "was-XXX" to "XXX". For example, if you can't read a file that is in the "was-myproject" group, use chgrp to change it to the "myproject" group.