[Freeipa-users] deleting duplicate groups with groupdel
Jakub Hrozek
jhrozek at redhat.com
Wed Apr 13 07:28:25 UTC 2016
On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote:
> My main ipa server used to be an NIS server. After migrating everything
> into ipa, there is no need for the users and groups to exist in /etc/passwd
> and /etc/group. Leaving them around would cause duplicate entries,
> passwords falling out of sync and other issues on the server. So the right
> approach is to delete all the local users and groups, and let ipa handle
> everything. I was able to delete all the local users from /etc/passwd.
> However, groupdel won't let me delete the local groups. It complains that
> xyz user's primary group is abc and hence you can't delete it. The user
> itself is not a part of /etc/passwd anymore. This is a bug as far as I can
> tell. groupdel should check these constraints only for local users and
> local groups. It shouldn't mix ipa users and ipa groups with them.
>
> Environment: RHEL 7.2, idm 4.x
Looking at groupdel code, they just loop through all users with
getpwent and report a primary group if any of the enumerated users
matched the gid trying to be removed.
So I would only expect this to happen if enumerate=true is set in
sssd.conf, otherwise it should not be possible to reach those users with
getpwent (if you removed them from passwd already). As a quick check,
you can see if "getent passwd" without a user argument shows those
users.
More information about the Freeipa-users
mailing list