[Freeipa-users] ipa user-add
Dmitri Pal
dpal at redhat.com
Fri Jun 22 13:43:56 UTC 2012
On 06/22/2012 09:34 AM, Rich Megginson wrote:
> On 06/21/2012 09:11 PM, george he wrote:
>> Hello Rich,
>> Thanks for the help. This does remove the group so I can add the user
>> back.
>> But when I try to ssh, as that user, to the machines that the user
>> logged on before "ipa user-del", I get "permission denied".
>> I removed the user's home directory because it still belongs to the
>> deleted UID:GID. After that I still get "permission denied".
>> Any suggestions?
>
> I don't know. I just wanted to make sure you were using
> 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling"
> private group in the future.
>
May there will be some other file on the system owned by the deleted
user that ssh tries to read?
>
>> Thanks again,
>> George
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson <rmeggins at redhat.com>
>> *To:* george he <george_he7 at yahoo.com>
>> *Cc:* "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>> *Sent:* Thursday, June 21, 2012 2:43 PM
>> *Subject:* Re: [Freeipa-users] ipa user-add
>>
>> On 06/21/2012 12:25 PM, george he wrote:
>>> Hello all,
>>>
>>> After the server and the client are installed, I run
>>>
>>> ipa user-add myname
>>>
>>> to add users. The users are added successfully, but each user
>>> get his own GID, which is the same as his UID, even though "ipa
>>> config-show --all" shows
>>> Default users group: ipausers
>>>
>>> How do I put all new users to this ipausers group? If I use
>>> --gidnumber=INT, how to find out the GID of the ipausers group?
>>>
>>> I tried to delete a user using "ipa user-del myname", but the
>>> private group myname is left there. So I did the following:
>>>
>>> # ipa group-del myname
>>> ipa: ERROR: Deleting a managed group is not allowed. It must be
>>> detached first.
>>> # ipa group-detach myname
>>> ipa: ERROR: myname: group not found
>>> # ipa user-add myname
>>> First name: myfirstname
>>> Last name: mylastname
>>> ipa: ERROR: Unable to create private group. A group 'myname'
>>> already exists.
>>>
>>> How do I get out of this loop?
>>
>> What is your platform and 389-ds-base version?
>>
>> I'm not familiar with group-detach, but you can manually detach
>> and remove the private group using ldapsearch and ldapmodify:
>>
>> assuming you have done kinit admin:
>> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn
>> This will give you the DN of the group - ignore any entries in
>> the compat tree
>>
>> 2) ldapmodify -Y GSSAPI <<EOF
>> dn: DN of the group from ldapsearch
>> changetype: modify
>> delete: objectclass
>> objectclass: mepManagedEntry
>> -
>> delete: mepManagedBy
>> -
>>
>> dn: DN of the group from ldapsearch
>> changetype: delete
>> EOF
>>
>> This will remove the private group.
>>>
>>> Thanks,
>>> George
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120622/96ef6bf0/attachment.htm>
More information about the Freeipa-users
mailing list