Thanks all for the answers.
On 03/10/2015 03:27 PM, Rob Crittenden wrote:
Petr Vobornik wrote:
In ipa migrate-ds we also set the group to all users who are not member
of anything. Why is it important for a user to be a member of a group?
Every POSIX user needs a default GID. We don't create user-private
groups for migrated users.
How should default GID be set during migration? IMHO there are two issues:
1. ipausers group is not a POSIX group. Which, btw, also creates this
nice issue:
$ ipa user-add fbar --noprivate
First name: Foo
Last name: Bar
ipa: ERROR: Default group for new users is not POSIX
2. migrated users have to be POSIX therefore they have gidnumber and
migrate-ds checks for its presence. But the command doesn't do anything
with the GID number later even if the group doesn't exist nor in a step
where default group is set. Therefore, default group, even if POSIX,
would not work for this use case(set default GID number).
Q: Is it expected that user private groups will be migrated? (e.g. for
migration from other FreeIPA instance). If not, then there would be a
lot of users without a private group with the same GID number as UID number.
Q: Why don't we allow to create user private group? What would be better
if migrating from FreeIPA instance: migrate private groups or create new
private groups using Managed Entries plugin?
--
Petr Vobornik
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code