[Freeipa-users] uid manipulation

Daniel Nall daniel.nall at extension.org
Thu Nov 20 21:39:06 UTC 2008 

Hey all,

First off, many thanks for providing this great tool. It's allowed 
someone with very little knowledge of kerberos and ldap to create 
something that works. With that said, I've run into a problem, which I 
know is most likely my own doing. I'm just hoping that someone with more 
knowledge could lend some insight.

I've recently started testing out Free IPA, and have a couple of 
questions that I have been unable to find answer for. Currently, we're 
using Open LDAP running on an Apple Xserve, but want to migrate away 
from the XServes. Because we don't have a gigantic amount of users, I 
made a simple "import" script that basically uses the ipa-adduser 
command and adds  all of our needed user accounts. I did the same thing 
with groups and ipa-addgroup. Initially, this worked great. Everything 
came across fine, ssh worked on ipa-clients, all was good. Users could 
be added and removed from groups, and the results from running "groups 
username" would correctly display the expected information.

Now comes the problem. I'm trying to alter the uidnumber and gidnumber 
values in an attempt to mirror our existing configuration, and I'm 
coming up way short. I've found that when using ipa-adduser, you can 
specify the uidnumber or gidnumber by using the setattr option. ( ex: 
ipa-adduser -f john -l doe --setattr uidnumber=1111 jdoe )

Once this is done however, the output from "groups username" is nowhere 
near what I would expect. In fact, the output from "groups jdoe" didn't 
change at all from the intial return of "ipausers". What's really 
throwing me is that the output from ipa-finduser -a jdoe is returning 
what looks to be the correct information, but it's like the system isn't 
getting that information from freeipa, or I've somehow misconfigured 
freeipa to not know how to convey that information.

A quick example to illustrate my issue:

Clean Fedora Core 9 / ipa-server installation.

Install ipa-server, provide the required information to set up the 
domain and realm etc.

ipa-adduser -f jane -l doe -p xxxxxx janedoe
ipa-adduser -f john -l doe -p yyyyyy --setattr uidnumber=1111 johndoe
ipa-adduser -f jim -l doe -p zzzzzz jimdoe

Both commands successfully create the users.

Next, I created a testgroup, and add the users

ipa-addgroup -d "testgroup" testgroup
ipa-modgroup -a janedoe testgroup
ipa-modgroup -a johndoe testgroup
ipa-modgroup -a jimdoe testgroup

groups janedoe returns ipausers and testgroup
groups johndoe returns ipausers
groups jimdoe returns ipausers and testgroup

ipa-finduser -a janedoe returns that janedoe is a memeberof: ipausers 
and testgroup, and her uid is the default auto-assigned by ipa number 
1100 (first user that was made)
ipa-finduser -a johndoe returns that johndoe is a memberof: ipausers and 
testgroup, and his uid is the expected 1111
ipa-finduser -a jimdoe returns that jimdoe is a memeberof: ipausers and 
testgroup, and his uid is the default auto-assigned by ipa number 1101


Is there something I'm missing here? Is what I'm trying to do completely 
insane? :)

Thanks for any advice,
Daniel

More information about the Freeipa-users mailing list