Look at automember rules.

Verzonden vanaf mijn Samsung-apparaat

-------- Oorspronkelijk bericht --------
Van: Devin Acosta via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Datum: 02-06-17 20:13 (GMT+01:00)
Aan: Rob Crittenden <rcrit...@redhat.com>
Cc: FreeIPA users list <freeipa-users@lists.fedorahosted.org>, Devin Acosta 
Onderwerp: [Freeipa-users] Re: FreeIPA (adding all new users to admin group by 


That is what confuses me, I show that the default users group is "ipausers", 
however when I added an account which I just tested it added to admins group.  
Anything else that could be making it add it to the "admin" group?

[root@ipa01 ~]# ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/bash
  Default users group: ipausers
  Default e-mail domain: m451.tech
  Search time limit: 2
  Search size limit: -1
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=M451.TECH
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: 
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC

[root@ipa01 ~]# ipa user-add testuser-devin
First name: Devin
Last name: Acosta
Added user "testuser-devin"
  User login: testuser-devin
  First name: Devin
  Last name: Acosta
  Full name: Devin Acosta
  Display name: Devin Acosta
  Initials: DA
  Home directory: /home/testuser-devin
  GECOS: Devin Acosta
  Login shell: /bin/bash
  Principal name: testuser-de...@m451.tech
  Principal alias: testuser-de...@m451.tech
  Email address: testuser-de...@m451.tech
  UID: 34375527
  GID: 34375527
  Password: False
  Member of groups: ipausers, admins
  Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User 
Administrator, Security Architect, ipa_join
  Indirect Member of role: ipa_join, helpdesk, IT Security Specialist, 
sec_netops2, IT Specialist, Security Architect, User Administrator
  Kerberos keys available: False

On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden 
<rcrit...@redhat.com<mailto:rcrit...@redhat.com>> wrote:
Devin Acosta via FreeIPA-users wrote:
> I am hoping to see if someone can tell me what I either need to change
> or update to get it so that FreeIPA doesn't automatically keep adding
> all new users that is created automatically to the admin group. I
> inherited this installation of FreeIPA and so far haven't been able to
> figure out what either got changed or how to disable this behavior? I am
> running the latest FreeIPA 4.4 on CentOS 7.3.
> Any help would be greatly appreciated.

Probably the default users group. Try:

$ kinit admin
$ ipa config-show |grep 'Default users group'

Can be changed using:

$ ipa config-mod --defaultgroup ipausers

You can probably do this in the UI as well but I'm a CLI guy.


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to