> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
> Is that what you mean by creating the groups?

No, it's the gid of the user, so exists only as a private user group.

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, 7 December 2017 3:59 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] User's personal group not resolving

Aaron Hicks via FreeIPA-users wrote:
> Hello the list,
> 
>  
> 
> We imported all our users with uidnumbers from our old LDAP, but their 
> gidNumber was from 4 groups. This caused us issues with users wanting 
> to grant access to personal spaces to one user, but instead granting 
> access to all the members of the group.
> 
>  
> 
> To resolve this, when they were imported into FreeIPA we assigned them 
> all new gidNumbers, as reusing their uidNumbers caused large number of 
> gidNumber clashes as many groups were assigned from the same integer 
> range. So now we have a log of users with uidNumber 5XXX and gidNumber 
> 5000XXX.
> 
>  
> 
> When they log in they see an error like this:
> 
>  
> 
> /usr/bin/id: cannot find name for group ID 100019
> 
>  
> 
> It’s pretty much because their gidNumber != uidNumber
> 
>  
> 
> So getting all the name and group details:
> 
> [username@ipaserver01:~] $ id username
> 
> uid=5807(username) gid=100019
> groups=100019,66400035(group1),66400007(group2),66400012(group3),66400
> 044(group4),175321(group5),2075295(group6),66400046(group7)
> 
> [username@ipaserver01:~] 2 $ id -g username
> 
> 100019
> 
> [username@ipaserver01:~] $ getent group 5807
> 
> username:*:5807:
> 
> [username@ipaserver01:~] $ getent group 100019
> 
> [username@ipaserver01:~] $
> 
>  
> 
> Now, the last part, we can’t change their uidNumber. We have a massive 
> filesystem (many terabytes) backed by a tape library (many petabytes) 
> so we need their uidNumber to match that file archived to tape in 1987 
> and migrated through our tape system upgrades :P
> 
>  
> 
> So the question is; can we make it resolve those gidNumbers?
> 
>  
> 
> …I could make 2,500 groups for 2,500 users…

Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is 
that what you mean by creating the groups?

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to