> Chris Cowan via FreeIPA-users wrote: > > Can you explain how you did the migration? Private groups are not > created using migrate-ds. In IPA a "private" group is one where uid=gid > and the group cannot have members.
Haven't done a full migration, yet. I'm just experimenting in the lab with some ids. The real migration will occur a few months from now. I created an id for myself, cowanco. I used ipa user-add. It ended up with uid=502157 gid=304155 > > So I'm a bit unclear why/how you were able to detach the user from the > private group. > > What "NSS stuff" is not working? Using this sssd.conf on a machine, host not attached to IdM ------------------------------------------------------------------------ [sssd] services = nss config_file_version = 2 domains = default [nss] filter_users = root [domain/default] ldap_uri = ldap://idmlab.xyz.com ldap_search_base = dc=xyx,dc=com id_provider = ldap auth_provider = krb5 krb5_server = idmlab.xyz.com krb5_realm = LAB.xyz.com access_provider = permit sudo_provider = ldap chpass_provider = krb5 autofs_provider = ldap resolver_provider = ldap ldap_schema = rfc2307bis ldap_user_object_class = posixAccount ldap_user_name = uid ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_fullname = cn ldap_user_member_of = memberOf ldap_group_object_class = posixGroup ldap_group_name = cn ldap_group_gid_number = gidNumber ldap_group_member = member ldap_default_bind_dn = uid=admin,cn=users,cn=accounts,dc=xyz,dc=com ldap_default_authtok = ldap_default_authtok_type = obfuscated_password -------------------------------------------------------------------------- Ran these tests, with 3 different users - cowanco (uid != gid) - devuser9 uid == gid - ccowan2 - (uid != gid) and run through detach, delete, add steps When I do id lookups like this: # id cowanco uid=304155(cowanco) gid=502157 groups=502157,100060(p.project1),100050(p.junk$),829400014(p.testings.admin) vs. a user that created with uid==gid: # id devuser9 uid=100009(devuser9) gid=100009(devuser9) groups=100009(devuser9),100061(p.project1.readers) I had a similar id, ccowan2 (uid=200000, gid=3000010) Executed these commands, posted as a workaround. (Someone else migrating from an existing config) # ipa group-detach ccowan2 # ipa group-del ccowan2 # ipa group-add ccowan2 Now, I see # id ccowan2 uid=200000(ccowan2) gid=300010(ccowan2) groups=300010(ccowan2),100050(p.junk$) I'm assuming that this is basically because a private group is not a POSIX group. I'm not sure if this is problem. Doing forensics on the directory to see if any user has members in their default group. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
