<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/22/2012 09:34 AM, Rich Megginson wrote:
<blockquote cite="mid:4FE47467.8050700@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
On 06/21/2012 09:11 PM, george he wrote:
<blockquote
cite="mid:1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255,
255, 255); font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div><span>Hello Rich,</span></div>
<div><span>Thanks for the help. This does remove the group
so I can add the user back.</span></div>
<div><span>But when I try to ssh, as that user, to the
machines that the user logged on before "ipa user-del",
</span>I get "permission denied".</div>
<div>I removed the user's home directory because it still
belongs to the deleted UID:GID. After that I still get
"permission denied".</div>
<div>Any suggestions?</div>
</div>
</blockquote>
<br>
I don't know. I just wanted to make sure you were using
389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this
"dangling" private group in the future.<br>
<br>
</blockquote>
<br>
May there will be some other file on the system owned by the
deleted user that ssh tries to read?<br>
<br>
<blockquote cite="mid:4FE47467.8050700@redhat.com" type="cite"> <br>
<blockquote
cite="mid:1340334677.64031.YahooMailNeo@web120006.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255,
255, 255); font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div>Thanks again,</div>
<div>George</div>
<div><br>
<blockquote style="border-left: 2px solid rgb(16, 16,
255); margin-left: 5px; margin-top: 5px; padding-left:
5px;">
<div style="font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div style="font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div dir="ltr"> <font size="2" face="Arial">
<hr size="1"> <b><span style="font-weight:
bold;">From:</span></b> Rich Megginson <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:rmeggins@redhat.com"><rmeggins@redhat.com></a><br>
<b><span style="font-weight: bold;">To:</span></b>
george he <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:george_he7@yahoo.com"><george_he7@yahoo.com></a>
<br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>
<br>
<b><span style="font-weight: bold;">Sent:</span></b>
Thursday, June 21, 2012 2:43 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Freeipa-users] ipa user-add<br>
</font> </div>
<br>
<div id="yiv2096011740">
<div> On 06/21/2012 12:25 PM, george he wrote:
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div>Hello all,</div>
<div><br>
</div>
<div>After the server and the client are
installed, I run</div>
<div><br>
</div>
<div>ipa user-add myname<br>
</div>
<div><br>
</div>
<div>to add users. The users are added
successfully, but each user get his own
GID, which is the same as his UID, even
though "ipa config-show --all" shows<br>
</div>
<div> Default users group: ipausers<br>
</div>
<div><br>
</div>
<div>How do I put all new users to this
ipausers group? If I use --gidnumber=INT,
how to find out the GID of the ipausers
group?</div>
<div><br>
</div>
<div>I tried to delete a user using "ipa
user-del myname", but the private group
myname is left there. So I did the
following:<br>
</div>
<div><br>
</div>
<div># ipa group-del myname<br>
ipa: ERROR: Deleting a managed group is
not allowed. It must be detached first.<br>
# ipa group-detach myname<br>
ipa: ERROR: myname: group not found<br>
</div>
<div># ipa user-add myname<br>
First name: myfirstname<br>
Last name: mylastname<br>
ipa: ERROR: Unable to create private
group. A group 'myname' already exists.<br>
<br>
</div>
<div>How do I get out of this loop?</div>
</div>
</blockquote>
<br>
What is your platform and 389-ds-base version?<br>
<br>
I'm not familiar with group-detach, but you can
manually detach and remove the private group
using ldapsearch and ldapmodify:<br>
<br>
assuming you have done kinit admin:<br>
1) ldapsearch -LLL -Y GSSAPI cn=myname dn<br>
This will give you the DN of the group - ignore
any entries in the compat tree<br>
<br>
2) ldapmodify -Y GSSAPI <<EOF<br>
dn: DN of the group from ldapsearch<br>
changetype: modify<br>
delete: objectclass<br>
objectclass: mepManagedEntry<br>
-<br>
delete: mepManagedBy<br>
-<br>
<br>
dn: DN of the group from ldapsearch<br>
changetype: delete<br>
EOF<br>
<br>
This will remove the private group.<br>
<blockquote type="cite">
<div style="color: rgb(0, 0, 0);
background-color: rgb(255, 255, 255);
font-family: times new roman,new
york,times,serif; font-size: 12pt;">
<div><br>
</div>
<div>Thanks,</div>
<div>George</div>
<div><br>
</div>
</div>
<br>
<fieldset
class="yiv2096011740mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" rel="nofollow" class="yiv2096011740moz-txt-link-abbreviated" ymailto="mailto:Freeipa-users@redhat.com" target="_blank" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" rel="nofollow" class="yiv2096011740moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
<br>
<br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>