[Freeipa-users] Can I change new users' default group from 'ipausers' to some thing else?
Petr Spacek
pspacek at redhat.com
Wed May 9 11:26:14 UTC 2012
On 05/08/2012 03:05 PM, Simo Sorce wrote:
> On Mon, 2012-05-07 at 18:01 -0700, David Copperfield wrote:
>> Hi,
>>
>>
>> Can I change the default user group for new users to something else?
>> and disable automatically creation of private groups?
>
> Yes, and yes, although I wouldn't recommend so if you have more than a
> couple hundred users as that group will become enormous and will slow
> down clients trying to fetch and cache all the memberships.
>
> Having a common primary group is also often a security problem because
> the default netmask on Linux machines is 220 meaning that all users can
> read/write each other user' files by default if they all share the same
> group.
>>
>> Basically I migrates hundreds of Linux accounts from openldap to IPA,
>> and those users have a default group 'exampleGroup' with GID<500. And
>> it is company policy to have all users to use the same container user
>> group, and disable private groups.
>
> To change the default primary group you can simply locate the
> ipaDefaultPrimaryGroup attribute and change it from ipausers to whatever
> you want to use.
>
>> So can I change the IPA policy to change the default user group from
>> 'ipausers' to some thing else to 'exampleGroup'? what's the
>> immediately and potential effect on adjustment? Thanks.
>>
> See above.
>
> Simo.
>
Just for completeness:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html-single/Identity_Management_Guide/index.html#Configuring_IPA_Users-Specifying_Default_User_Settings
Petr^2 Spacek
More information about the Freeipa-users
mailing list