On Tue, Jul 14, 2015 at 09:01:54AM +0000, Les Stott wrote: > Jakub, > > Thanks for the follow up. > > We try and stick to standard rhel/epel repo's (due to policy) so I am not > able to install a non-standard version of sssd.
OK, please note that pretty much the same version will come to 6.7 in a couple of days. > > I have decided to disable the User Private Group plugin and convert ipausers > to a posix group. There was nothing I could see that required us to use > UPG's. This setup is working for me now. The drawback might be that ipausers would get really large over time and resolving the large group including the members would take a long time. > > Thanks, > > Les > > > -----Original Message----- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Jakub Hrozek > > Sent: Tuesday, 14 July 2015 6:42 PM > > To: email@example.com > > Subject: Re: [Freeipa-users] freeipa and User Private Groups > > > > On Mon, Jul 13, 2015 at 09:11:09AM +0000, Les Stott wrote: > > > Hi All, > > > > > > Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64 > > > > > > So, by default, when you create a user in freeipa, That user will be set > > > to > > have a primary group that is hidden and not a POSIX group. > > > > > > This means that when the user logs in to a host, they will see something > > like... > > > > > > id: cannot find name for group ID <group_number> > > > > It is not expected to not be able to return the name of the user group and I > > don't see that in my setup. I was suspecting rhbz#1165074 but your sssd > > should already have that bug fixed. > > > > Can you see if the packages from > > https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ > > also show that behaviour? > > > > If yes, can you get us sssd logs as described here: > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > > > running the id command shows no name returned for this group. > > > > > > I understand you can disable private groups globally, however it is > > discouraged. I also realise you can simply create POSIX groups when creating > > users. > > > > > > In the spirit of trying to stick with the defaults.... > > > > > > Is there a way to avoid the login error where id can't retrieve the group > > name from a UPG? > > > > > > Thanks, > > > > > > Les > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project