Yes, getent passwd shows the users, and sssd.conf didn't have enumerate=true. As it turns out, this happens because ypbind was running on the server, which binds to ipa's fake nis server on the same machine. Once I stopped ypbind, I was able to delete those groups. This was an interesting case.
On Wed, Apr 13, 2016 at 3:28 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Wed, Apr 13, 2016 at 12:30:56AM -0400, Prasun Gera wrote: > > My main ipa server used to be an NIS server. After migrating everything > > into ipa, there is no need for the users and groups to exist in > /etc/passwd > > and /etc/group. Leaving them around would cause duplicate entries, > > passwords falling out of sync and other issues on the server. So the > right > > approach is to delete all the local users and groups, and let ipa handle > > everything. I was able to delete all the local users from /etc/passwd. > > However, groupdel won't let me delete the local groups. It complains that > > xyz user's primary group is abc and hence you can't delete it. The user > > itself is not a part of /etc/passwd anymore. This is a bug as far as I > can > > tell. groupdel should check these constraints only for local users and > > local groups. It shouldn't mix ipa users and ipa groups with them. > > > > Environment: RHEL 7.2, idm 4.x > > Looking at groupdel code, they just loop through all users with > getpwent and report a primary group if any of the enumerated users > matched the gid trying to be removed. > > So I would only expect this to happen if enumerate=true is set in > sssd.conf, otherwise it should not be possible to reach those users with > getpwent (if you removed them from passwd already). As a quick check, > you can see if "getent passwd" without a user argument shows those > users. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project