The current service group scheme, while workable, has design issues that cause problems with services global to all projects (NFS and databases being the primary examples).
Proposed new implementation:
- Globally unique UID/GIDs (that, I believe, is already the case)
- Names in the form $projectname.$groupname (rather than local-$groupname)
- All service groups under a single OU (and not per-project OUs)
- usernames and group names must disallow '.'
Ideally, the division on what system to use should be per-region so that functionality in pmtpa is not impaired while the new system is geared up in eqiad.
(The change from one to the other implies changes in many system settings/scripts, not all of which could be tweaked to understand both schemes).