On 06/21/2012 09:11 PM, george he wrote:
Hello Rich,
Thanks for the help. This does remove the group so I can add the user back. But when I try to ssh, as that user, to the machines that the user logged on before "ipa user-del", I get "permission denied". I removed the user's home directory because it still belongs to the deleted UID:GID. After that I still get "permission denied".
Any suggestions?


I don't know. I just wanted to make sure you were using 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" private group in the future.


Thanks again,
George

    ------------------------------------------------------------------------
    *From:* Rich Megginson <rmegg...@redhat.com>
    *To:* george he <george_...@yahoo.com>
    *Cc:* "freeipa-users@redhat.com" <freeipa-users@redhat.com>
    *Sent:* Thursday, June 21, 2012 2:43 PM
    *Subject:* Re: [Freeipa-users] ipa user-add

    On 06/21/2012 12:25 PM, george he wrote:
    Hello all,

    After the server and the client are installed, I run

    ipa user-add myname

    to add users. The users are added successfully, but each user get
    his own GID, which is the same as his UID, even though "ipa
    config-show --all" shows
      Default users group: ipausers

    How do I put all new users to this ipausers group? If I use
    --gidnumber=INT, how to find out the GID of the ipausers group?

    I tried to delete a user using "ipa user-del myname", but the
    private group myname is left there. So I did the following:

    # ipa group-del myname
    ipa: ERROR: Deleting a managed group is not allowed. It must be
    detached first.
    # ipa group-detach myname
    ipa: ERROR: myname: group not found
    # ipa user-add myname
    First name: myfirstname
    Last name: mylastname
    ipa: ERROR: Unable to create private group. A group 'myname'
    already exists.

    How do I get out of this loop?

    What is your platform and 389-ds-base version?

    I'm not familiar with group-detach, but you can manually detach
    and remove the private group using ldapsearch and ldapmodify:

    assuming you have done kinit admin:
    1) ldapsearch -LLL -Y GSSAPI cn=myname dn
    This will give you the DN of the group - ignore any entries in the
    compat tree

    2) ldapmodify -Y GSSAPI <<EOF
    dn: DN of the group from ldapsearch
    changetype: modify
    delete: objectclass
    objectclass: mepManagedEntry
    -
    delete: mepManagedBy
    -

    dn: DN of the group from ldapsearch
    changetype: delete
    EOF

    This will remove the private group.

    Thanks,
    George



    _______________________________________________
    Freeipa-users mailing list
    Freeipa-users@redhat.com  <mailto:Freeipa-users@redhat.com>
    https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to