Hi Rob,

We figured out there were a relatively small number of id clashes between uids 
and gids between users and groups and have resolved most of them, we're now 
working on making gidNumber = uidNumber with a python script calling user-mod 
via the FreeIPA API. It's looking good in our test environment.

I think, with hindsight, gidNumber != uidNumber is a Bad Idea™ and maybe we 
should discourage directory administrators to not do it.

Regards,

Aaron

-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Thursday, 7 December 2017 9:54 AM
To: Aaron Hicks <aaron.hi...@nesi.org.nz>; 'FreeIPA users list' 
<freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] User's personal group not resolving

Aaron Hicks wrote:
>> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
>> Is that what you mean by creating the groups?
> 
> No, it's the gid of the user, so exists only as a private user group.

If you migrated from another LDAP server then there is no user-private group. 
You just have a gidNumber value set in their user entry which is why no group 
appears via nss. You need to create a unique group for each user with a 
matching gid.

rob

> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Thursday, 7 December 2017 3:59 AM
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
> Subject: Re: [Freeipa-users] User's personal group not resolving
> 
> Aaron Hicks via FreeIPA-users wrote:
>> Hello the list,
>>
>>  
>>
>> We imported all our users with uidnumbers from our old LDAP, but 
>> their gidNumber was from 4 groups. This caused us issues with users 
>> wanting to grant access to personal spaces to one user, but instead 
>> granting access to all the members of the group.
>>
>>  
>>
>> To resolve this, when they were imported into FreeIPA we assigned 
>> them all new gidNumbers, as reusing their uidNumbers caused large 
>> number of gidNumber clashes as many groups were assigned from the 
>> same integer range. So now we have a log of users with uidNumber 5XXX 
>> and gidNumber 5000XXX.
>>
>>  
>>
>> When they log in they see an error like this:
>>
>>  
>>
>> /usr/bin/id: cannot find name for group ID 100019
>>
>>  
>>
>> It’s pretty much because their gidNumber != uidNumber
>>
>>  
>>
>> So getting all the name and group details:
>>
>> [username@ipaserver01:~] $ id username
>>
>> uid=5807(username) gid=100019
>> groups=100019,66400035(group1),66400007(group2),66400012(group3),6640
>> 0
>> 044(group4),175321(group5),2075295(group6),66400046(group7)
>>
>> [username@ipaserver01:~] 2 $ id -g username
>>
>> 100019
>>
>> [username@ipaserver01:~] $ getent group 5807
>>
>> username:*:5807:
>>
>> [username@ipaserver01:~] $ getent group 100019
>>
>> [username@ipaserver01:~] $
>>
>>  
>>
>> Now, the last part, we can’t change their uidNumber. We have a 
>> massive filesystem (many terabytes) backed by a tape library (many 
>> petabytes) so we need their uidNumber to match that file archived to 
>> tape in 1987 and migrated through our tape system upgrades :P
>>
>>  
>>
>> So the question is; can we make it resolve those gidNumbers?
>>
>>  
>>
>> …I could make 2,500 groups for 2,500 users…
> 
> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
> Is that what you mean by creating the groups?
> 
> rob
> 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to