[Freeipa-devel] Purpose of default user group

Rob Crittenden rcritten at redhat.com
Fri Mar 13 14:02:32 UTC 2015 

Petr Vobornik wrote:
> Thanks all for the answers.
> 
> On 03/10/2015 03:27 PM, Rob Crittenden wrote:
>> Petr Vobornik wrote:
>>> In ipa migrate-ds we also set the group to all users who are not member
>>> of anything. Why is it important for a user to be a member of a group?
>>
>> Every POSIX user needs a default GID. We don't create user-private
>> groups for migrated users.
>>
> 

IPA to IPA migration is a bit of a special case, and not something we
really planned on (though we've tended to keep it basically working).

Migration was expected to be from an existing LDAP server providing
POSIX users and groups.

> How should default GID be set during migration? IMHO there are two issues:
> 
> 1. ipausers group is not a POSIX group. Which, btw, also creates this
> nice issue:
>   $ ipa user-add fbar --noprivate
>   First name: Foo
>   Last name: Bar
>   ipa: ERROR: Default group for new users is not POSIX

Right, we assumed that incoming user would already have valid groups.

> 2. migrated users have to be POSIX therefore they have gidnumber and
> migrate-ds checks for its presence. But the command doesn't do anything
> with the GID number later even if the group doesn't exist nor in a step
> where default group is set. Therefore, default group, even if POSIX,
> would not work for this use case(set default GID number).

It does verify that the GID points to an existing group. If not you'll
get a warning like:

GID number %s of migrated user %s does not point to a known group.

> Q: Is it expected that user private groups will be migrated? (e.g. for
> migration from other FreeIPA instance). If not, then there would be a
> lot of users without a private group with the same GID number as UID
> number.

IPA to IPA migration wasn't really planned out, so no.

It is slightly complex because it will add another remote LDAP call for
each user to see if they have an existing group in their name and ensure
that the group contains no members (or only this user). And then later
when groups are migrated skip over the existing private group silently.

> Q: Why don't we allow to create user private group? What would be better
> if migrating from FreeIPA instance: migrate private groups or create new
> private groups using Managed Entries plugin?

Because of the additional logic in evaluating what the current state of
groups is on the remote server. It's doable but it would be slower.

Worth an RFE I think.

rob

More information about the Freeipa-devel mailing list