Aaron Hicks wrote: >> Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. >> Is that what you mean by creating the groups? > > No, it's the gid of the user, so exists only as a private user group.
If you migrated from another LDAP server then there is no user-private group. You just have a gidNumber value set in their user entry which is why no group appears via nss. You need to create a unique group for each user with a matching gid. rob > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Thursday, 7 December 2017 3:59 AM > To: FreeIPA users list <firstname.lastname@example.org> > Cc: Aaron Hicks <aaron.hi...@nesi.org.nz> > Subject: Re: [Freeipa-users] User's personal group not resolving > > Aaron Hicks via FreeIPA-users wrote: >> Hello the list, >> >> >> >> We imported all our users with uidnumbers from our old LDAP, but their >> gidNumber was from 4 groups. This caused us issues with users wanting >> to grant access to personal spaces to one user, but instead granting >> access to all the members of the group. >> >> >> >> To resolve this, when they were imported into FreeIPA we assigned them >> all new gidNumbers, as reusing their uidNumbers caused large number of >> gidNumber clashes as many groups were assigned from the same integer >> range. So now we have a log of users with uidNumber 5XXX and gidNumber >> 5000XXX. >> >> >> >> When they log in they see an error like this: >> >> >> >> /usr/bin/id: cannot find name for group ID 100019 >> >> >> >> It’s pretty much because their gidNumber != uidNumber >> >> >> >> So getting all the name and group details: >> >> [username@ipaserver01:~] $ id username >> >> uid=5807(username) gid=100019 >> groups=100019,66400035(group1),66400007(group2),66400012(group3),66400 >> 044(group4),175321(group5),2075295(group6),66400046(group7) >> >> [username@ipaserver01:~] 2 $ id -g username >> >> 100019 >> >> [username@ipaserver01:~] $ getent group 5807 >> >> username:*:5807: >> >> [username@ipaserver01:~] $ getent group 100019 >> >> [username@ipaserver01:~] $ >> >> >> >> Now, the last part, we can’t change their uidNumber. We have a massive >> filesystem (many terabytes) backed by a tape library (many petabytes) >> so we need their uidNumber to match that file archived to tape in 1987 >> and migrated through our tape system upgrades :P >> >> >> >> So the question is; can we make it resolve those gidNumbers? >> >> >> >> …I could make 2,500 groups for 2,500 users… > > Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. > Is that what you mean by creating the groups? > > rob > _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org