Hello Dmitri,

OK, I can accept the good practice of using private groups, then I need to 
delete the "left over" group.
The instructions in the document failed as stated in my original email.

Any suggestions how to delete the private group whose user has been deleted?
Thanks,
George



>________________________________
> From: Dmitri Pal <d...@redhat.com>
>To: freeipa-users@redhat.com 
>Sent: Thursday, June 21, 2012 3:47 PM
>Subject: Re: [Freeipa-users] ipa user-add
> 
>
>On 06/21/2012 03:10 PM, george he wrote: 
>it's x86_64  2.2.0-1.fc17.
>>Thanks,
>>George
>>
>
>You are looking at the private group feature.
>By default IPA encorages you to take advantage of the user private
    groups - the groups that have only current user in them.
>The value of this is that the files on the file system can be
    owned just by the user. It is a good practice.
>To turn it off there is a utility to turn the managed entries
    creation.
>
>Please do not use LDAP directly (at least yet).
>
>There is another feature that allows one to specify a criteria for
    placing users or hosts into groups. 
>Users in the past were automatically placed into the ipausers
    group but not any more for security reasons explained above and
    for performance reasons as one huge group causes sssd to pull
    everybody on the first lookup.
>
>
>
>>
>>
>>>________________________________
>>> From: Rob Crittenden <rcrit...@redhat.com>
>>>To: Rich Megginson <rmegg...@redhat.com> 
>>>Cc: george he <george_...@yahoo.com>; "freeipa-users@redhat.com" 
>>><freeipa-users@redhat.com> 
>>>Sent: Thursday, June 21, 2012 2:54 PM
>>>Subject: Re: [Freeipa-users] ipa user-add
>>> 
>>>Rich Megginson wrote:
>>>> On 06/21/2012 12:25 PM, george he wrote:
>>>>> Hello all,
>>>>>
>>>>> After the server and the client are
                installed, I run
>>>>>
>>>>> ipa user-add myname
>>>>>
>>>>> to add users. The users are added
                successfully, but each user get his
>>>>> own GID, which is the same as his UID, even
                though "ipa config-show
>>>>> --all" shows
>>>>> Default users group: ipausers
>>>>>
>>>>> How do I put all new users to this ipausers
                group? If I use
>>>>> --gidnumber=INT, how to find out the GID of
                the ipausers group?
>>>
>>>It would help to know what version and platform of IPA
                you are using. 
>>>The method differs by version.
>>>
>>>>>
>>>>> I tried to delete a user using "ipa user-del
                myname", but the private
>>>>> group myname is left there. So I did the
                following:
>>>>>
>>>>> # ipa group-del myname
>>>>> ipa: ERROR: Deleting a managed group is not
                allowed. It must be
>>>>> detached first.
>>>>> # ipa group-detach myname
>>>>> ipa: ERROR: myname: group not found
>>>>> # ipa user-add myname
>>>>> First name: myfirstname
>>>>> Last name: mylastname
>>>>> ipa: ERROR: Unable to create private group. A
                group 'myname' already
>>>>> exists.
>>>>>
>>>>> How do I get out of this loop?
>>>>
>>>> What is your platform and 389-ds-base version?
>>>>
>>>> I'm not familiar with group-detach, but you can
                manually detach and
>>>> remove the private group using ldapsearch and
                ldapmodify:
>>>>
>>>> assuming you have done kinit admin:
>>>> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn
>>>> This will give you the DN of the group - ignore
                any entries in the
>>>> compat tree
>>>>
>>>> 2) ldapmodify -Y GSSAPI <<EOF
>>>> dn: DN of the group from ldapsearch
>>>> changetype: modify
>>>> delete: objectclass
>>>> objectclass: mepManagedEntry
>>>> -
>>>> delete: mepManagedBy
>>>> -
>>>>
>>>> dn: DN of the group from ldapsearch
>>>> changetype: delete
>>>> EOF
>>>>
>>>> This will remove the private group.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>
>>>>>
>>>>>
                _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>
_______________________________________________
Freeipa-users mailing list Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>-- 
Thank you,
Dmitri Pal Sr. Engineering Manager IPA project,
Red Hat Inc. -------------------------------
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ 
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to