On 06/10/15 13:14, Rob Crittenden wrote:
Sean Hogan wrote:

I have been rolling out an IPA deployment for IBM Watson for the past 3
months. Initially I did not want to take on application ids (linux OS
Ids owning apps). I now have to so I have created the accounts in IPA
however new files created by user wdadeploy are being created with
wdadeploy:wdadeploy where the app team wants new files owned
wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the
application IDs to stay local but they want to see if this works.

By default IPA creates users with a user-private group. This is a POSIX
group that cannot have members with the same name as the user (and the
UID and GID will match).

SSSD gets the primary group from the GID attribute in the user so you
have a couple of options that I can see:

1. Modify the user to set the GID to the GID of wdaadmins
2. 1. and also detach the private group from the user since it isn't
being used any more (and you can delete it if you know you'll never use
it). Note that once detached it can never be re-attached (or not via any
IPA-provided tools anyway).

Now strictly speaking I don't think that wdadeploy needs to be a member
of wdaadmins for this to work but that would probably be quite confusing
in the long-run.

Use the id command to confirm that the gid resolves to wdaadmins.

Another option is to keep stuff as it is in IPA and use file system default ACLs so that wdaadmins get read/write or whatever access on the files wdadeploy creates.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to