Sylvain Angers wrote:


Hello
Someone did delete the admin group by mistake, how can we recover from
this? No one change password, or any other admin task is allow. But we have the 
Directory server password.


the remaining group is "ipausers" and we had only the default group


Please any help will be appreciate


We prevent this in newer versions.

This is untested so YMMV.

Try putting this into an LDIF. Change example.com and replace <UID> with the UID of the old group if you can. If you don't have it then use 999 and a new one should be assigned.

dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
member: uid=admin,cn=users,cn=accounts,dc=example,dc=com
gidNumber: <UID>

# ldapadd -x -D 'cn=Directory Manager' -W < /path/to/ldif

You also may need to fix up some delegations. You can use ipa-show --all --raw on these privileges to see if admins is a member, I doubt it is. You want to look at:

Replication Administrators
Host Enrollment
Unlock user accounts
Manage service keytab

If not add it using something like this for each privilege:

# ldapmodify -x -D 'cn=Directory Manager' -w password
dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com
changetype: modify
add: member
member: cn=admins,cn=groups,cn=accounts,dc=example,dc=com

^D

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to