<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 06/21/2012 03:10 PM, george he wrote: <blockquote cite="mid:1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com" type="cite"> <div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div>it's x86_64 2.2.0-1.fc17.</div> <div>Thanks,</div> <div>George </div> </div> </blockquote> You are looking at the private group feature. By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. The value of this is that the files on the file system can be owned just by the user. It is a good practice. To turn it off there is a utility to turn the managed entries creation. Please do not use LDAP directly (at least yet). There is another feature that allows one to specify a criteria for placing users or hosts into groups. Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. <blockquote cite="mid:1340305818.5219.YahooMailNeo@web120005.mail.ne1.yahoo.com" type="cite"> <div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div> <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> From: Rob Crittenden <a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> To: Rich Megginson <a class="moz-txt-link-rfc2396E" href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a> Cc: george he <a class="moz-txt-link-rfc2396E" href="mailto:george_he7@yahoo.com"><george_he7@yahoo.com></a>; <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a> <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a> Sent: Thursday, June 21, 2012 2:54 PM Subject: Re: [Freeipa-users] ipa user-add </div> Rich Megginson wrote: > On 06/21/2012 12:25 PM, george he wrote: >> Hello all, >> >> After the server and the client are installed, I run >> >> ipa user-add myname >> >> to add users. The users are added successfully, but each user get his >> own GID, which is the same as his UID, even though "ipa config-show >> --all" shows >> Default users group: ipausers >> >> How do I put all new users to this ipausers group? If I use >> --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. >> >> I tried to delete a user using "ipa user-del myname", but the private >> group myname is left there. So I did the following: >> >> # ipa group-del myname >> ipa: ERROR: Deleting a managed group is not allowed. It must be >> detached first. >> # ipa group-detach myname >> ipa: ERROR: myname: group not found >> # ipa user-add myname >> First name: myfirstname >> Last name: mylastname >> ipa: ERROR: Unable to create private group. A group 'myname' already >> exists. >> >> How do I get out of this loop? > > What is your platform and 389-ds-base version? > > I'm not familiar with group-detach, but you can manually detach and > remove the private group using ldapsearch and ldapmodify: > > assuming you have done kinit admin: > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn > This will give you the DN of the group - ignore any entries in the > compat tree > > 2) ldapmodify -Y GSSAPI <<EOF > dn: DN of the group from ldapsearch > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > - > > dn: DN of the group from ldapsearch > changetype: delete > EOF > > This will remove the private group. >> >> Thanks, >> George >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> >> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > _______________________________________________ > Freeipa-users mailing list > <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div> </div> </blockquote> </div> </div> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>