[Freeipa-users] Converting a user group to a non-posix group
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Jun 11 12:04:52 UTC 2012
On Mon, June 11, 2012 13:42, Martin Kosek wrote:
> On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote:
>
>> On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote:
>>
>>>
>>
>>> On Mon, June 11, 2012 12:21, Martin Kosek wrote:
>>>
>>>
>>>> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote:
>>>>
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Is there a supported method for converting a posix user group to a
>>>>> non-posix user group?
>>>>>
>>>>>
>>>>> Regards,
>>>>> Siggi
>>>>>
>>>>>
>>>>>
>>>>
>>>> I am not aware of any supported method. This step is more tricky than
>>>> making a non-posix group a posix one, because you could break for example some existing file
>>>> ownerships for such group.
>>>>
>>>> But if you really want to make a posix group non-posix you could run
>>>> this group-mod command:
>>>>
>>>> # ipa group-show posix
>>>> Group name: posix
>>>> Description: foo
>>>> GID: 1994800003
>>>>
>>>>
>>>>
>>>>
>>>> # ipa group-mod posix --delattr=objectclass=posixgroup
>>>> --setattr=gidnumber=
>>>> ----------------------
>>>> Modified group "posix"
>>>> ----------------------
>>>> Group name: posix
>>>> Description: foo
>>>>
>>>>
>>>>
>>>
>>> Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use.
>>> However
>>> we have some groups that are POSIX that does not need to be POSIX groups.
>>>
>>> I've done the change with an LDAP editor earlier, but that was the "supported" solution I was
>>> looking for.
>>>
>>> Thanks.
>>>
>>
>>
>> Is the "--delattr=" option new for 2.2? It does not exist in my 2.1 installation.
>>
>>
>>
>> Rgds,
>> Siggi
>>
>>
>>
>
> It is new in IPA 2.2. In your case, you would need to set --setattr and
> specify all required object classes minus "posixgroup". Unfortunately, I see that new objectclass
> handling is not right in IPA 2.1:
>
> # ipa group-mod posix --setattr=gidnumber=
> --setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject
> ipa: ERROR: unknown object class
> "top,groupofnames,nestedgroup,ipausergroup,ipaobject"
>
>
> Thus, I think that using an LDIF you created may be the easiest way to
> perform this task in IPA 2.1.
>
Ok, that's what I've done so far.
Thanks.
regards,
Siggi
More information about the Freeipa-users
mailing list