Aaron Hicks via FreeIPA-users wrote: > Hello the list, > > > > We imported all our users with uidnumbers from our old LDAP, but their > gidNumber was from 4 groups. This caused us issues with users wanting to > grant access to personal spaces to one user, but instead granting access > to all the members of the group. > > > > To resolve this, when they were imported into FreeIPA we assigned them > all new gidNumbers, as reusing their uidNumbers caused large number of > gidNumber clashes as many groups were assigned from the same integer > range. So now we have a log of users with uidNumber 5XXX and gidNumber > 5000XXX. > > > > When they log in they see an error like this: > > > > /usr/bin/id: cannot find name for group ID 100019 > > > > It’s pretty much because their gidNumber != uidNumber > > > > So getting all the name and group details: > > [username@ipaserver01:~] $ id username > > uid=5807(username) gid=100019 > groups=100019,66400035(group1),66400007(group2),66400012(group3),66400044(group4),175321(group5),2075295(group6),66400046(group7) > > [username@ipaserver01:~] 2 $ id -g username > > 100019 > > [username@ipaserver01:~] $ getent group 5807 > > username:*:5807: > > [username@ipaserver01:~] $ getent group 100019 > > [username@ipaserver01:~] $ > > > > Now, the last part, we can’t change their uidNumber. We have a massive > filesystem (many terabytes) backed by a tape library (many petabytes) so > we need their uidNumber to match that file archived to tape in 1987 and > migrated through our tape system upgrades :P > > > > So the question is; can we make it resolve those gidNumbers? > > > > …I could make 2,500 groups for 2,500 users…
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
