On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote: > My main ipa server used to be an NIS server. After migrating everything > into ipa, there is no need for the users and groups to exist in /etc/passwd > and /etc/group. Leaving them around would cause duplicate entries, > passwords falling out of sync and other issues on the server. So the right > approach is to delete all the local users and groups, and let ipa handle > everything. I was able to delete all the local users from /etc/passwd. > However, groupdel won't let me delete the local groups. It complains that > xyz user's primary group is abc and hence you can't delete it. The user > itself is not a part of /etc/passwd anymore. This is a bug as far as I can > tell. groupdel should check these constraints only for local users and > local groups. It shouldn't mix ipa users and ipa groups with them. > > Environment: RHEL 7.2, idm 4.x
Looking at groupdel code, they just loop through all users with getpwent and report a primary group if any of the enumerated users matched the gid trying to be removed. So I would only expect this to happen if enumerate=true is set in sssd.conf, otherwise it should not be possible to reach those users with getpwent (if you removed them from passwd already). As a quick check, you can see if "getent passwd" without a user argument shows those users. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
