[Freeipa-users] Lesson learned: don't do this.

[KodaK]

Just wanted to pass along an issue I just had.

We have some legacy local users on some boxes, and we need to have a mix of
those local users and IPA users in the same groups.

In order for that to happen (at least on AIX) I need to create a group in
IPA with the GID of the local group.  This can be a problem because the GID
may be used by different groups on different boxes (we inherited this mess.)

To organize this, I would create groups like this in IPA:

host1-foogroup:208
host2-bargroup:208
host3-bazgroup:208

This worked, until I added a fourth group with the same GID.  AIX stopped
allowing members of 208 to connect to any hosts.

I was forced to move them all into a single group and abandon my attempts
at organization.

This was hard to find, but obvious in retrospect.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131120/8425dcff/attachment.htm>