On Thu, Dec 10, 2020 at 10:42:36AM -0500, Greg Wooledge wrote:
In the context of the original question, having a consistent set of local user accounts (name/UID pairs) across all of your systems in an NFS environment is useful for making sure all files have consistent ownership. Even on the systems where, say, charlie will never log in, seeing that the files in /home/charlie are owned by user "charlie" is helpful.
It's practically impossible to sync everything on a modern system in the presence of dynamically allocated IDs. The best you can hope for is sync a certain *range* of IDs and by convention only use IDs in that range within NFS exports. If something outside that range happens to sneak into the export it'll look weird, but has no real effect on security. (If you're using sec=sys on an NFS mount you have no security outside of what the client chooses to implement.)
Historically this could be done by being diligent in manually creating passwd entries, via yp/nis to distribute a common passwd file, or via various configuration management schemes to automate local passwd file management. In most normal (heterogenous) environments these did only manage a certain range, and trying to sync system users was simply not done because it was harder than it was worth.