[Freeipa-users] ipa user-add

Dmitri Pal dpal at redhat.com
Thu Jun 21 19:47:23 UTC 2012 

On 06/21/2012 03:10 PM, george he wrote:
> it's x86_64  2.2.0-1.fc17.
> Thanks,
> George


You are looking at the private group feature.
By default IPA encorages you to take advantage of the user private
groups - the groups that have only current user in them.
The value of this is that the files on the file system can be owned just
by the user. It is a good practice.
To turn it off there is a utility to turn the managed entries creation.

Please do not use LDAP directly (at least yet).

There is another feature that allows one to specify a criteria for
placing users or hosts into groups.
Users in the past were automatically placed into the ipausers group but
not any more for security reasons explained above and for performance
reasons as one huge group causes sssd to pull everybody on the first lookup.

>
>     ------------------------------------------------------------------------
>     *From:* Rob Crittenden <rcritten at redhat.com>
>     *To:* Rich Megginson <rmeggins at redhat.com>
>     *Cc:* george he <george_he7 at yahoo.com>; "freeipa-users at redhat.com"
>     <freeipa-users at redhat.com>
>     *Sent:* Thursday, June 21, 2012 2:54 PM
>     *Subject:* Re: [Freeipa-users] ipa user-add
>
>     Rich Megginson wrote:
>     > On 06/21/2012 12:25 PM, george he wrote:
>     >> Hello all,
>     >>
>     >> After the server and the client are installed, I run
>     >>
>     >> ipa user-add myname
>     >>
>     >> to add users. The users are added successfully, but each user
>     get his
>     >> own GID, which is the same as his UID, even though "ipa config-show
>     >> --all" shows
>     >> Default users group: ipausers
>     >>
>     >> How do I put all new users to this ipausers group? If I use
>     >> --gidnumber=INT, how to find out the GID of the ipausers group?
>
>     It would help to know what version and platform of IPA you are using.
>     The method differs by version.
>
>     >>
>     >> I tried to delete a user using "ipa user-del myname", but the
>     private
>     >> group myname is left there. So I did the following:
>     >>
>     >> # ipa group-del myname
>     >> ipa: ERROR: Deleting a managed group is not allowed. It must be
>     >> detached first.
>     >> # ipa group-detach myname
>     >> ipa: ERROR: myname: group not found
>     >> # ipa user-add myname
>     >> First name: myfirstname
>     >> Last name: mylastname
>     >> ipa: ERROR: Unable to create private group. A group 'myname'
>     already
>     >> exists.
>     >>
>     >> How do I get out of this loop?
>     >
>     > What is your platform and 389-ds-base version?
>     >
>     > I'm not familiar with group-detach, but you can manually detach and
>     > remove the private group using ldapsearch and ldapmodify:
>     >
>     > assuming you have done kinit admin:
>     > 1) ldapsearch -LLL -Y GSSAPI cn=myname dn
>     > This will give you the DN of the group - ignore any entries in the
>     > compat tree
>     >
>     > 2) ldapmodify -Y GSSAPI <<EOF
>     > dn: DN of the group from ldapsearch
>     > changetype: modify
>     > delete: objectclass
>     > objectclass: mepManagedEntry
>     > -
>     > delete: mepManagedBy
>     > -
>     >
>     > dn: DN of the group from ldapsearch
>     > changetype: delete
>     > EOF
>     >
>     > This will remove the private group.
>     >>
>     >> Thanks,
>     >> George
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Freeipa-users mailing list
>     >> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     >> https://www.redhat.com/mailman/listinfo/freeipa-users
>     >
>     >
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120621/acafb5a7/attachment.htm>

More information about the Freeipa-users mailing list