[Freeipa-users] ipa user-add

Rich Megginson rmeggins at redhat.com
Fri Jun 22 13:34:31 UTC 2012 

On 06/21/2012 09:11 PM, george he wrote:
> Hello Rich,
> Thanks for the help. This does remove the group so I can add the user 
> back.
> But when I try to ssh, as that user, to the machines that the user 
> logged on before "ipa user-del", I get "permission denied".
> I removed the user's home directory because it still belongs to the 
> deleted UID:GID. After that I still get "permission denied".
> Any suggestions?

I don't know.  I just wanted to make sure you were using 
389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" 
private group in the future.


> Thanks again,
> George
>
>     ------------------------------------------------------------------------
>     *From:* Rich Megginson <rmeggins at redhat.com>
>     *To:* george he <george_he7 at yahoo.com>
>     *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>     *Sent:* Thursday, June 21, 2012 2:43 PM
>     *Subject:* Re: [Freeipa-users] ipa user-add
>
>     On 06/21/2012 12:25 PM, george he wrote:
>>     Hello all,
>>
>>     After the server and the client are installed, I run
>>
>>     ipa user-add myname
>>
>>     to add users. The users are added successfully, but each user get
>>     his own GID, which is the same as his UID, even though "ipa
>>     config-show --all" shows
>>       Default users group: ipausers
>>
>>     How do I put all new users to this ipausers group? If I use
>>     --gidnumber=INT, how to find out the GID of the ipausers group?
>>
>>     I tried to delete a user using "ipa user-del myname", but the
>>     private group myname is left there. So I did the following:
>>
>>     # ipa group-del myname
>>     ipa: ERROR: Deleting a managed group is not allowed. It must be
>>     detached first.
>>     # ipa group-detach myname
>>     ipa: ERROR: myname: group not found
>>     # ipa user-add myname
>>     First name: myfirstname
>>     Last name: mylastname
>>     ipa: ERROR: Unable to create private group. A group 'myname'
>>     already exists.
>>
>>     How do I get out of this loop?
>
>     What is your platform and 389-ds-base version?
>
>     I'm not familiar with group-detach, but you can manually detach
>     and remove the private group using ldapsearch and ldapmodify:
>
>     assuming you have done kinit admin:
>     1) ldapsearch -LLL -Y GSSAPI cn=myname dn
>     This will give you the DN of the group - ignore any entries in the
>     compat tree
>
>     2) ldapmodify -Y GSSAPI <<EOF
>     dn: DN of the group from ldapsearch
>     changetype: modify
>     delete: objectclass
>     objectclass: mepManagedEntry
>     -
>     delete: mepManagedBy
>     -
>
>     dn: DN of the group from ldapsearch
>     changetype: delete
>     EOF
>
>     This will remove the private group.
>>
>>     Thanks,
>>     George
>>
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120622/b8645f81/attachment.htm>

More information about the Freeipa-users mailing list