Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread KodaK
On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
 Hi,

 I have had little to do with permissions until now so bear with me if the Qs 
 are obviously stupid, probably not really IPA but a linux blind spot I 
 haveanyway,

 So I have a service account with its group this runs a database.

 So oracle with uid 2000 and gid 2000.  I have some other users that need to 
 be in the oracle user's group but I cant do that in IPA?


Is oracle an IPA user and group or a local user and group?

Assuming a Linux host and a local oracle user and group:  you can add
the IPA users to a local group and it will work.  I have no idea if
that's the right way to do it, though.


 I created a user group called oragrp gid 2001 but the user oracle is creating 
 files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
 would fix it?

Again, if oracle is a local user, you can change his primary group
using usermod -G 2001 oracle -- but you might as well just add the
IPA users to the local oracle group.

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Steven Jones
All users are IPA only

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of KodaK [sako...@gmail.com]
Sent: Friday, 8 February 2013 11:22 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service accounts and groups

On Thu, Feb 7, 2013 at 1:46 PM, Steven Jones steven.jo...@vuw.ac.nz wrote:
 Hi,

 I have had little to do with permissions until now so bear with me if the Qs 
 are obviously stupid, probably not really IPA but a linux blind spot I 
 haveanyway,

 So I have a service account with its group this runs a database.

 So oracle with uid 2000 and gid 2000.  I have some other users that need to 
 be in the oracle user's group but I cant do that in IPA?


Is oracle an IPA user and group or a local user and group?

Assuming a Linux host and a local oracle user and group:  you can add
the IPA users to a local group and it will work.  I have no idea if
that's the right way to do it, though.


 I created a user group called oragrp gid 2001 but the user oracle is creating 
 files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
 would fix it?

Again, if oracle is a local user, you can change his primary group
using usermod -G 2001 oracle -- but you might as well just add the
IPA users to the local oracle group.

--Jason

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Service accounts and groups

2013-02-07 Thread Martin Kosek
On 02/07/2013 08:46 PM, Steven Jones wrote:
 Hi,
 
 I have had little to do with permissions until now so bear with me if the Qs 
 are obviously stupid, probably not really IPA but a linux blind spot I 
 haveanyway,
 
 So I have a service account with its group this runs a database.
 
 So oracle with uid 2000 and gid 2000.  I have some other users that need to 
 be in the oracle user's group but I cant do that in IPA? 
 
 So how do I get around that?
 
 Or am I approaching it totally wrong?
 
 I created a user group called oragrp gid 2001 but the user oracle is creating 
 files with a uid of 2000 and gid of 2000 and not a gid of 2001 which I assume 
 would fix it?
 
 regards
 
 Steven Jones
 
 Technical Specialist - Linux RHCE
 
 Victoria University, Wellington, NZ
 
 0064 4 463 6272
 

Hello Steven,

I assume you want to change oracle user primary GID, i.e. something like that:

# ipa group-add oragrp --desc Oracle Group --gid 2001

Added group oragrp

  Group name: oragrp
  Description: Oracle Group
  GID: 2001

# ipa user-add --first Oracle --last User oracle --noprivate --uid 2000
--gidnumber 2001
---
Added user oracle
---
  User login: oracle
  First name: Oracle
  Last name: User
  Full name: Oracle User
  Display name: Oracle User
  Initials: OU
  Home directory: /home/oracle
  GECOS field: Oracle User
  Login shell: /bin/sh
  Kerberos principal: ora...@example.com
  Email address: ora...@example.com
  UID: 2000
  GID: 2001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

# su oracle
sh-4.2$ id
uid=2000(oracle) gid=2001(oragrp) groups=2001(oragrp)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ touch /tmp/foo
$ ls -la /tmp/foo
-rw-r--r--. 1 oracle oragrp 0 Feb  8 02:28 /tmp/foo

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users