[Freeipa-devel] Purpose of default user group
Petr Vobornik
pvoborni at redhat.com
Fri Mar 13 13:15:21 UTC 2015
Thanks all for the answers.
On 03/10/2015 03:27 PM, Rob Crittenden wrote:
> Petr Vobornik wrote:
>> In ipa migrate-ds we also set the group to all users who are not member
>> of anything. Why is it important for a user to be a member of a group?
>
> Every POSIX user needs a default GID. We don't create user-private
> groups for migrated users.
>
How should default GID be set during migration? IMHO there are two issues:
1. ipausers group is not a POSIX group. Which, btw, also creates this
nice issue:
$ ipa user-add fbar --noprivate
First name: Foo
Last name: Bar
ipa: ERROR: Default group for new users is not POSIX
2. migrated users have to be POSIX therefore they have gidnumber and
migrate-ds checks for its presence. But the command doesn't do anything
with the GID number later even if the group doesn't exist nor in a step
where default group is set. Therefore, default group, even if POSIX,
would not work for this use case(set default GID number).
Q: Is it expected that user private groups will be migrated? (e.g. for
migration from other FreeIPA instance). If not, then there would be a
lot of users without a private group with the same GID number as UID number.
Q: Why don't we allow to create user private group? What would be better
if migrating from FreeIPA instance: migrate private groups or create new
private groups using Managed Entries plugin?
--
Petr Vobornik
More information about the Freeipa-devel
mailing list