[Freeipa-users] uid manipulation
Daniel Nall
daniel.nall at extension.org
Thu Nov 20 21:39:06 UTC 2008
Hey all,
First off, many thanks for providing this great tool. It's allowed
someone with very little knowledge of kerberos and ldap to create
something that works. With that said, I've run into a problem, which I
know is most likely my own doing. I'm just hoping that someone with more
knowledge could lend some insight.
I've recently started testing out Free IPA, and have a couple of
questions that I have been unable to find answer for. Currently, we're
using Open LDAP running on an Apple Xserve, but want to migrate away
from the XServes. Because we don't have a gigantic amount of users, I
made a simple "import" script that basically uses the ipa-adduser
command and adds all of our needed user accounts. I did the same thing
with groups and ipa-addgroup. Initially, this worked great. Everything
came across fine, ssh worked on ipa-clients, all was good. Users could
be added and removed from groups, and the results from running "groups
username" would correctly display the expected information.
Now comes the problem. I'm trying to alter the uidnumber and gidnumber
values in an attempt to mirror our existing configuration, and I'm
coming up way short. I've found that when using ipa-adduser, you can
specify the uidnumber or gidnumber by using the setattr option. ( ex:
ipa-adduser -f john -l doe --setattr uidnumber=1111 jdoe )
Once this is done however, the output from "groups username" is nowhere
near what I would expect. In fact, the output from "groups jdoe" didn't
change at all from the intial return of "ipausers". What's really
throwing me is that the output from ipa-finduser -a jdoe is returning
what looks to be the correct information, but it's like the system isn't
getting that information from freeipa, or I've somehow misconfigured
freeipa to not know how to convey that information.
A quick example to illustrate my issue:
Clean Fedora Core 9 / ipa-server installation.
Install ipa-server, provide the required information to set up the
domain and realm etc.
ipa-adduser -f jane -l doe -p xxxxxx janedoe
ipa-adduser -f john -l doe -p yyyyyy --setattr uidnumber=1111 johndoe
ipa-adduser -f jim -l doe -p zzzzzz jimdoe
Both commands successfully create the users.
Next, I created a testgroup, and add the users
ipa-addgroup -d "testgroup" testgroup
ipa-modgroup -a janedoe testgroup
ipa-modgroup -a johndoe testgroup
ipa-modgroup -a jimdoe testgroup
groups janedoe returns ipausers and testgroup
groups johndoe returns ipausers
groups jimdoe returns ipausers and testgroup
ipa-finduser -a janedoe returns that janedoe is a memeberof: ipausers
and testgroup, and her uid is the default auto-assigned by ipa number
1100 (first user that was made)
ipa-finduser -a johndoe returns that johndoe is a memberof: ipausers and
testgroup, and his uid is the expected 1111
ipa-finduser -a jimdoe returns that jimdoe is a memeberof: ipausers and
testgroup, and his uid is the default auto-assigned by ipa number 1101
Is there something I'm missing here? Is what I'm trying to do completely
insane? :)
Thanks for any advice,
Daniel
More information about the Freeipa-users
mailing list