[Freeipa-users] ipa user-add
george he
george_he7 at yahoo.com
Thu Jun 21 20:07:31 UTC 2012
Hello Dmitri,
OK, I can accept the good practice of using private groups, then I need to delete the "left over" group.
The instructions in the document failed as stated in my original email.
Any suggestions how to delete the private group whose user has been deleted?
Thanks,
George
>________________________________
> From: Dmitri Pal <dpal at redhat.com>
>To: freeipa-users at redhat.com
>Sent: Thursday, June 21, 2012 3:47 PM
>Subject: Re: [Freeipa-users] ipa user-add
>
>
>On 06/21/2012 03:10 PM, george he wrote:
>it's x86_64 2.2.0-1.fc17.
>>Thanks,
>>George
>>
>
>You are looking at the private group feature.
>By default IPA encorages you to take advantage of the user private
groups - the groups that have only current user in them.
>The value of this is that the files on the file system can be
owned just by the user. It is a good practice.
>To turn it off there is a utility to turn the managed entries
creation.
>
>Please do not use LDAP directly (at least yet).
>
>There is another feature that allows one to specify a criteria for
placing users or hosts into groups.
>Users in the past were automatically placed into the ipausers
group but not any more for security reasons explained above and
for performance reasons as one huge group causes sssd to pull
everybody on the first lookup.
>
>
>
>>
>>
>>>________________________________
>>> From: Rob Crittenden <rcritten at redhat.com>
>>>To: Rich Megginson <rmeggins at redhat.com>
>>>Cc: george he <george_he7 at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>>>Sent: Thursday, June 21, 2012 2:54 PM
>>>Subject: Re: [Freeipa-users] ipa user-add
>>>
>>>Rich Megginson wrote:
>>>> On 06/21/2012 12:25 PM, george he wrote:
>>>>> Hello all,
>>>>>
>>>>> After the server and the client are
installed, I run
>>>>>
>>>>> ipa user-add myname
>>>>>
>>>>> to add users. The users are added
successfully, but each user get his
>>>>> own GID, which is the same as his UID, even
though "ipa config-show
>>>>> --all" shows
>>>>> Default users group: ipausers
>>>>>
>>>>> How do I put all new users to this ipausers
group? If I use
>>>>> --gidnumber=INT, how to find out the GID of
the ipausers group?
>>>
>>>It would help to know what version and platform of IPA
you are using.
>>>The method differs by version.
>>>
>>>>>
>>>>> I tried to delete a user using "ipa user-del
myname", but the private
>>>>> group myname is left there. So I did the
following:
>>>>>
>>>>> # ipa group-del myname
>>>>> ipa: ERROR: Deleting a managed group is not
allowed. It must be
>>>>> detached first.
>>>>> # ipa group-detach myname
>>>>> ipa: ERROR: myname: group not found
>>>>> # ipa user-add myname
>>>>> First name: myfirstname
>>>>> Last name: mylastname
>>>>> ipa: ERROR: Unable to create private group. A
group 'myname' already
>>>>> exists.
>>>>>
>>>>> How do I get out of this loop?
>>>>
>>>> What is your platform and 389-ds-base version?
>>>>
>>>> I'm not familiar with group-detach, but you can
manually detach and
>>>> remove the private group using ldapsearch and
ldapmodify:
>>>>
>>>> assuming you have done kinit admin:
>>>> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn
>>>> This will give you the DN of the group - ignore
any entries in the
>>>> compat tree
>>>>
>>>> 2) ldapmodify -Y GSSAPI <<EOF
>>>> dn: DN of the group from ldapsearch
>>>> changetype: modify
>>>> delete: objectclass
>>>> objectclass: mepManagedEntry
>>>> -
>>>> delete: mepManagedBy
>>>> -
>>>>
>>>> dn: DN of the group from ldapsearch
>>>> changetype: delete
>>>> EOF
>>>>
>>>> This will remove the private group.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>
>>>>>
>>>>>
_______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>
_______________________________________________
Freeipa-users mailing list Freeipa-users at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>--
Thank you,
Dmitri Pal Sr. Engineering Manager IPA project,
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120621/4282c2a1/attachment.htm>
More information about the Freeipa-users
mailing list