[Freeipa-users] freeipa and User Private Groups

Jakub Hrozek jhrozek at redhat.com
Tue Jul 14 09:12:23 UTC 2015 

On Tue, Jul 14, 2015 at 09:01:54AM +0000, Les Stott wrote:
> Jakub,
> 
> Thanks for the follow up.
> 
> We try and stick to standard rhel/epel repo's (due to policy) so I am not able to install a non-standard version of sssd.

OK, please note that pretty much the same version will come to 6.7 in a
couple of days.

> 
> I have decided to disable the User Private Group plugin and convert ipausers to a posix group. There was nothing I could see that required us to use UPG's. This setup is working for me now.

The drawback might be that ipausers would get really large over time and
resolving the large group including the members would take a long time.

> 
> Thanks,
> 
> Les
> 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Jakub Hrozek
> > Sent: Tuesday, 14 July 2015 6:42 PM
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] freeipa and User Private Groups
> > 
> > On Mon, Jul 13, 2015 at 09:11:09AM +0000, Les Stott wrote:
> > > Hi All,
> > >
> > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64
> > >
> > > So, by default, when you create a user in freeipa, That user will be set to
> > have a primary group that is hidden and not a POSIX group.
> > >
> > > This means that when the user logs in to a host, they will see something
> > like...
> > >
> > > id: cannot find name for group ID <group_number>
> > 
> > It is not expected to not be able to return the name of the user group and I
> > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd
> > should already have that bug fixed.
> > 
> > Can you see if the packages from
> >     https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/
> > also show that behaviour?
> > 
> > If yes, can you get us sssd logs as described here:
> >     https://fedorahosted.org/sssd/wiki/Troubleshooting
> > 
> > >
> > > running the id command shows no name returned for this group.
> > >
> > > I understand you can disable private groups globally, however it is
> > discouraged. I also realise you can simply create POSIX groups when creating
> > users.
> > >
> > > In the spirit of trying to stick with the defaults....
> > >
> > > Is there a way to avoid the login error where id can't retrieve the group
> > name from a UPG?
> > >
> > > Thanks,
> > >
> > > Les
> > >
> > 
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list