[Freeipa-users] Converting a user group to a non-posix group

Martin Kosek mkosek at redhat.com
Mon Jun 11 11:42:54 UTC 2012


On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote:
> On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote:
> >
> 
> > On Mon, June 11, 2012 12:21, Martin Kosek wrote:
> >
> >> On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote:
> >>
> >>
> >>> Hi,
> >>>
> >>>
> >>>
> >>> Is there a supported method for converting a posix user group to a
> >>> non-posix user group?
> >>>
> >>>
> >>> Regards,
> >>> Siggi
> >>>
> >>>
> >>
> >> I am not aware of any supported method. This step is more tricky than
> >> making a non-posix group a posix one, because you could break for example some existing file
> >> ownerships for such group.
> >>
> >> But if you really want to make a posix group non-posix you could run
> >> this group-mod command:
> >>
> >> # ipa group-show posix
> >> Group name: posix
> >> Description: foo
> >> GID: 1994800003
> >>
> >>
> >>
> >> # ipa group-mod posix --delattr=objectclass=posixgroup
> >> --setattr=gidnumber=
> >> ----------------------
> >> Modified group "posix"
> >> ----------------------
> >> Group name: posix
> >> Description: foo
> >>
> >>
> >
> > Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However
> >  we have some groups that are POSIX that does not need to be POSIX groups.
> >
> > I've done the change with an LDAP editor earlier, but that was the "supported" solution I was
> > looking for.
> >
> > Thanks.
> 
> 
> Is the "--delattr=" option new for 2.2? It does not exist in my 2.1 installation.
> 
> 
> Rgds,
> Siggi
> 
> 

It is new in IPA 2.2. In your case, you would need to set --setattr and
specify all required object classes minus "posixgroup". Unfortunately, I
see that new objectclass handling is not right in IPA 2.1:

# ipa group-mod posix --setattr=gidnumber=
--setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject
ipa: ERROR: unknown object class
"top,groupofnames,nestedgroup,ipausergroup,ipaobject"

Thus, I think that using an LDIF you created may be the easiest way to
perform this task in IPA 2.1.

Martin




More information about the Freeipa-users mailing list