Aaron Hicks wrote:
>> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
>> Is that what you mean by creating the groups?
> 
> No, it's the gid of the user, so exists only as a private user group.

If you migrated from another LDAP server then there is no user-private
group. You just have a gidNumber value set in their user entry which is
why no group appears via nss. You need to create a unique group for each
user with a matching gid.

rob

> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: Thursday, 7 December 2017 3:59 AM
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
> Subject: Re: [Freeipa-users] User's personal group not resolving
> 
> Aaron Hicks via FreeIPA-users wrote:
>> Hello the list,
>>
>>  
>>
>> We imported all our users with uidnumbers from our old LDAP, but their 
>> gidNumber was from 4 groups. This caused us issues with users wanting 
>> to grant access to personal spaces to one user, but instead granting 
>> access to all the members of the group.
>>
>>  
>>
>> To resolve this, when they were imported into FreeIPA we assigned them 
>> all new gidNumbers, as reusing their uidNumbers caused large number of 
>> gidNumber clashes as many groups were assigned from the same integer 
>> range. So now we have a log of users with uidNumber 5XXX and gidNumber 
>> 5000XXX.
>>
>>  
>>
>> When they log in they see an error like this:
>>
>>  
>>
>> /usr/bin/id: cannot find name for group ID 100019
>>
>>  
>>
>> It’s pretty much because their gidNumber != uidNumber
>>
>>  
>>
>> So getting all the name and group details:
>>
>> [username@ipaserver01:~] $ id username
>>
>> uid=5807(username) gid=100019
>> groups=100019,66400035(group1),66400007(group2),66400012(group3),66400
>> 044(group4),175321(group5),2075295(group6),66400046(group7)
>>
>> [username@ipaserver01:~] 2 $ id -g username
>>
>> 100019
>>
>> [username@ipaserver01:~] $ getent group 5807
>>
>> username:*:5807:
>>
>> [username@ipaserver01:~] $ getent group 100019
>>
>> [username@ipaserver01:~] $
>>
>>  
>>
>> Now, the last part, we can’t change their uidNumber. We have a massive 
>> filesystem (many terabytes) backed by a tape library (many petabytes) 
>> so we need their uidNumber to match that file archived to tape in 1987 
>> and migrated through our tape system upgrades :P
>>
>>  
>>
>> So the question is; can we make it resolve those gidNumbers?
>>
>>  
>>
>> …I could make 2,500 groups for 2,500 users…
> 
> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. 
> Is that what you mean by creating the groups?
> 
> rob
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to