<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/21/2012 03:10 PM, george he wrote:
<blockquote
cite="mid:1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>it's x86_64 2.2.0-1.fc17.</span></div>
<div><span>Thanks,</span></div>
<div><span>George<br>
</span></div>
</div>
</blockquote>
<br>
<br>
You are looking at the private group feature.<br>
By default IPA encorages you to take advantage of the user private
groups - the groups that have only current user in them.<br>
The value of this is that the files on the file system can be
owned just by the user. It is a good practice.<br>
To turn it off there is a utility to turn the managed entries
creation.<br>
<br>
Please do not use LDAP directly (at least yet).<br>
<br>
There is another feature that allows one to specify a criteria for
placing users or hosts into groups. <br>
Users in the past were automatically placed into the ipausers
group but not any more for security reasons explained above and
for performance reasons as one huge group causes sssd to pull
everybody on the first lookup.<br>
<br>
<blockquote
cite="mid:1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><br>
<blockquote style="border-left: 2px solid rgb(16, 16, 255);
margin-left: 5px; margin-top: 5px; padding-left: 5px;">
<div style="font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div style="font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div dir="ltr"> <font size="2" face="Arial">
<hr size="1"> <b><span style="font-weight: bold;">From:</span></b>
Rob Crittenden <a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
george he <a class="moz-txt-link-rfc2396E" href="mailto:george_he7@yahoo.com"><george_he7@yahoo.com></a>;
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Thursday, June 21, 2012 2:54 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] ipa user-add<br>
</font> </div>
<br>
Rich Megginson wrote:<br>
> On 06/21/2012 12:25 PM, george he wrote:<br>
>> Hello all,<br>
>><br>
>> After the server and the client are
installed, I run<br>
>><br>
>> ipa user-add myname<br>
>><br>
>> to add users. The users are added
successfully, but each user get his<br>
>> own GID, which is the same as his UID, even
though "ipa config-show<br>
>> --all" shows<br>
>> Default users group: ipausers<br>
>><br>
>> How do I put all new users to this ipausers
group? If I use<br>
>> --gidnumber=INT, how to find out the GID of
the ipausers group?<br>
<br>
It would help to know what version and platform of IPA
you are using. <br>
The method differs by version.<br>
<br>
>><br>
>> I tried to delete a user using "ipa user-del
myname", but the private<br>
>> group myname is left there. So I did the
following:<br>
>><br>
>> # ipa group-del myname<br>
>> ipa: ERROR: Deleting a managed group is not
allowed. It must be<br>
>> detached first.<br>
>> # ipa group-detach myname<br>
>> ipa: ERROR: myname: group not found<br>
>> # ipa user-add myname<br>
>> First name: myfirstname<br>
>> Last name: mylastname<br>
>> ipa: ERROR: Unable to create private group. A
group 'myname' already<br>
>> exists.<br>
>><br>
>> How do I get out of this loop?<br>
><br>
> What is your platform and 389-ds-base version?<br>
><br>
> I'm not familiar with group-detach, but you can
manually detach and<br>
> remove the private group using ldapsearch and
ldapmodify:<br>
><br>
> assuming you have done kinit admin:<br>
> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn<br>
> This will give you the DN of the group - ignore
any entries in the<br>
> compat tree<br>
><br>
> 2) ldapmodify -Y GSSAPI <<EOF<br>
> dn: DN of the group from ldapsearch<br>
> changetype: modify<br>
> delete: objectclass<br>
> objectclass: mepManagedEntry<br>
> -<br>
> delete: mepManagedBy<br>
> -<br>
><br>
> dn: DN of the group from ldapsearch<br>
> changetype: delete<br>
> EOF<br>
><br>
> This will remove the private group.<br>
>><br>
>> Thanks,<br>
>> George<br>
>><br>
>><br>
>><br>
>>
_______________________________________________<br>
>> Freeipa-users mailing list<br>
>> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
>> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>