Re: [Freeipa-users] Service accounts and groups
On 02/07/2013 08:46 PM, Steven Jones wrote: > Hi, > > I have had little to do with permissions until now so bear with me if the Qs > are obviously stupid, probably not really IPA but a linux blind spot I > haveanyway, > > So I have a service account with its group this runs a database. > > So oracle with uid 2000 and gid 2000. I have some other users that need to > be in the oracle user's group but I cant do that in IPA? > > So how do I get around that? > > Or am I approaching it totally wrong? > > I created a user group called oragrp gid 2001 but the user oracle is creating > files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume > would fix it? > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > Hello Steven, I assume you want to change oracle user primary GID, i.e. something like that: # ipa group-add oragrp --desc "Oracle Group" --gid 2001 Added group "oragrp" Group name: oragrp Description: Oracle Group GID: 2001 # ipa user-add --first Oracle --last User oracle --noprivate --uid 2000 --gidnumber 2001 --- Added user "oracle" --- User login: oracle First name: Oracle Last name: User Full name: Oracle User Display name: Oracle User Initials: OU Home directory: /home/oracle GECOS field: Oracle User Login shell: /bin/sh Kerberos principal: ora...@example.com Email address: ora...@example.com UID: 2000 GID: 2001 Password: False Member of groups: ipausers Kerberos keys available: False # su oracle sh-4.2$ id uid=2000(oracle) gid=2001(oragrp) groups=2001(oragrp) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ touch /tmp/foo $ ls -la /tmp/foo -rw-r--r--. 1 oracle oragrp 0 Feb 8 02:28 /tmp/foo Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Service accounts and groups
All users are IPA only regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of KodaK [sako...@gmail.com] Sent: Friday, 8 February 2013 11:22 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Service accounts and groups On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones wrote: > Hi, > > I have had little to do with permissions until now so bear with me if the Qs > are obviously stupid, probably not really IPA but a linux blind spot I > haveanyway, > > So I have a service account with its group this runs a database. > > So oracle with uid 2000 and gid 2000. I have some other users that need to > be in the oracle user's group but I cant do that in IPA? > Is oracle an IPA user and group or a local user and group? Assuming a Linux host and a local oracle user and group: you can add the IPA users to a local group and it will work. I have no idea if that's the "right" way to do it, though. > I created a user group called oragrp gid 2001 but the user oracle is creating > files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume > would fix it? Again, if oracle is a local user, you can change his primary group using "usermod -G 2001 oracle" -- but you might as well just add the IPA users to the local oracle group. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Service accounts and groups
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones wrote: > Hi, > > I have had little to do with permissions until now so bear with me if the Qs > are obviously stupid, probably not really IPA but a linux blind spot I > haveanyway, > > So I have a service account with its group this runs a database. > > So oracle with uid 2000 and gid 2000. I have some other users that need to > be in the oracle user's group but I cant do that in IPA? > Is oracle an IPA user and group or a local user and group? Assuming a Linux host and a local oracle user and group: you can add the IPA users to a local group and it will work. I have no idea if that's the "right" way to do it, though. > I created a user group called oragrp gid 2001 but the user oracle is creating > files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume > would fix it? Again, if oracle is a local user, you can change his primary group using "usermod -G 2001 oracle" -- but you might as well just add the IPA users to the local oracle group. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Service accounts and groups
Hi, I have had little to do with permissions until now so bear with me if the Qs are obviously stupid, probably not really IPA but a linux blind spot I haveanyway, So I have a service account with its group this runs a database. So oracle with uid 2000 and gid 2000. I have some other users that need to be in the oracle user's group but I cant do that in IPA? So how do I get around that? Or am I approaching it totally wrong? I created a user group called oragrp gid 2001 but the user oracle is creating files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume would fix it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users