Sylvain Angers wrote:
Hello
Someone did delete the admin group by mistake, how can we recover from
this? No one change password, or any other admin task is allow. But we have the
Directory server password.
the remaining group is "ipausers" and we had only the default group
Please any help will be appreciate
We prevent this in newer versions.
This is untested so YMMV.
Try putting this into an LDIF. Change example.com and replace <UID> with
the UID of the old group if you can. If you don't have it then use 999
and a new one should be assigned.
dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
member: uid=admin,cn=users,cn=accounts,dc=example,dc=com
gidNumber: <UID>
# ldapadd -x -D 'cn=Directory Manager' -W < /path/to/ldif
You also may need to fix up some delegations. You can use ipa-show --all
--raw on these privileges to see if admins is a member, I doubt it is.
You want to look at:
Replication Administrators
Host Enrollment
Unlock user accounts
Manage service keytab
If not add it using something like this for each privilege:
# ldapmodify -x -D 'cn=Directory Manager' -w password
dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com
changetype: modify
add: member
member: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
^D
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
