[Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else?
Simo Sorce
simo at redhat.com
Tue May 8 13:05:50 UTC 2012
On Mon, 2012-05-07 at 18:01 -0700, David Copperfield wrote:
> Hi,
>
>
> Can I change the default user group for new users to something else?
> and disable automatically creation of private groups?
Yes, and yes, although I wouldn't recommend so if you have more than a
couple hundred users as that group will become enormous and will slow
down clients trying to fetch and cache all the memberships.
Having a common primary group is also often a security problem because
the default netmask on Linux machines is 220 meaning that all users can
read/write each other user' files by default if they all share the same
group.
>
> Basically I migrates hundreds of Linux accounts from openldap to IPA,
> and those users have a default group 'exampleGroup' with GID <500. And
> it is company policy to have all users to use the same container user
> group, and disable private groups.
To change the default primary group you can simply locate the
ipaDefaultPrimaryGroup attribute and change it from ipausers to whatever
you want to use.
> So can I change the IPA policy to change the default user group from
> 'ipausers' to some thing else to 'exampleGroup'? what's the
> immediately and potential effect on adjustment? Thanks.
>
See above.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list