[Freeipa-users] ipa user-add
Rich Megginson
rmeggins at redhat.com
Fri Jun 22 13:34:31 UTC 2012
On 06/21/2012 09:11 PM, george he wrote:
> Hello Rich,
> Thanks for the help. This does remove the group so I can add the user
> back.
> But when I try to ssh, as that user, to the machines that the user
> logged on before "ipa user-del", I get "permission denied".
> I removed the user's home directory because it still belongs to the
> deleted UID:GID. After that I still get "permission denied".
> Any suggestions?
I don't know. I just wanted to make sure you were using
389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling"
private group in the future.
> Thanks again,
> George
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson <rmeggins at redhat.com>
> *To:* george he <george_he7 at yahoo.com>
> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> *Sent:* Thursday, June 21, 2012 2:43 PM
> *Subject:* Re: [Freeipa-users] ipa user-add
>
> On 06/21/2012 12:25 PM, george he wrote:
>> Hello all,
>>
>> After the server and the client are installed, I run
>>
>> ipa user-add myname
>>
>> to add users. The users are added successfully, but each user get
>> his own GID, which is the same as his UID, even though "ipa
>> config-show --all" shows
>> Default users group: ipausers
>>
>> How do I put all new users to this ipausers group? If I use
>> --gidnumber=INT, how to find out the GID of the ipausers group?
>>
>> I tried to delete a user using "ipa user-del myname", but the
>> private group myname is left there. So I did the following:
>>
>> # ipa group-del myname
>> ipa: ERROR: Deleting a managed group is not allowed. It must be
>> detached first.
>> # ipa group-detach myname
>> ipa: ERROR: myname: group not found
>> # ipa user-add myname
>> First name: myfirstname
>> Last name: mylastname
>> ipa: ERROR: Unable to create private group. A group 'myname'
>> already exists.
>>
>> How do I get out of this loop?
>
> What is your platform and 389-ds-base version?
>
> I'm not familiar with group-detach, but you can manually detach
> and remove the private group using ldapsearch and ldapmodify:
>
> assuming you have done kinit admin:
> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn
> This will give you the DN of the group - ignore any entries in the
> compat tree
>
> 2) ldapmodify -Y GSSAPI <<EOF
> dn: DN of the group from ldapsearch
> changetype: modify
> delete: objectclass
> objectclass: mepManagedEntry
> -
> delete: mepManagedBy
> -
>
> dn: DN of the group from ldapsearch
> changetype: delete
> EOF
>
> This will remove the private group.
>>
>> Thanks,
>> George
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120622/b8645f81/attachment.htm>
More information about the Freeipa-users
mailing list