Sylvain Angers wrote:

Someone did delete the admin group by mistake, how can we recover from
this? No one change password, or any other admin task is allow. But we have the 
Directory server password.

the remaining group is "ipausers" and we had only the default group

Please any help will be appreciate

We prevent this in newer versions.

This is untested so YMMV.

Try putting this into an LDIF. Change and replace <UID> with the UID of the old group if you can. If you don't have it then use 999 and a new one should be assigned.

dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
member: uid=admin,cn=users,cn=accounts,dc=example,dc=com
gidNumber: <UID>

# ldapadd -x -D 'cn=Directory Manager' -W < /path/to/ldif

You also may need to fix up some delegations. You can use ipa-show --all --raw on these privileges to see if admins is a member, I doubt it is. You want to look at:

Replication Administrators
Host Enrollment
Unlock user accounts
Manage service keytab

If not add it using something like this for each privilege:

# ldapmodify -x -D 'cn=Directory Manager' -w password
dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com
changetype: modify
add: member
member: cn=admins,cn=groups,cn=accounts,dc=example,dc=com



Freeipa-users mailing list

Reply via email to