On 06/21/2012 09:11 PM, george he wrote:
Hello Rich,
Thanks for the help. This does remove the group so I can add the user
back.
But when I try to ssh, as that user, to the machines that the user
logged on before "ipa user-del", I get "permission denied".
I removed the user's home directory because it still belongs to the
deleted UID:GID. After that I still get "permission denied".
Any suggestions?
I don't know. I just wanted to make sure you were using
389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling"
private group in the future.
Thanks again,
George
------------------------------------------------------------------------
*From:* Rich Megginson <[email protected]>
*To:* george he <[email protected]>
*Cc:* "[email protected]" <[email protected]>
*Sent:* Thursday, June 21, 2012 2:43 PM
*Subject:* Re: [Freeipa-users] ipa user-add
On 06/21/2012 12:25 PM, george he wrote:
Hello all,
After the server and the client are installed, I run
ipa user-add myname
to add users. The users are added successfully, but each user get
his own GID, which is the same as his UID, even though "ipa
config-show --all" shows
Default users group: ipausers
How do I put all new users to this ipausers group? If I use
--gidnumber=INT, how to find out the GID of the ipausers group?
I tried to delete a user using "ipa user-del myname", but the
private group myname is left there. So I did the following:
# ipa group-del myname
ipa: ERROR: Deleting a managed group is not allowed. It must be
detached first.
# ipa group-detach myname
ipa: ERROR: myname: group not found
# ipa user-add myname
First name: myfirstname
Last name: mylastname
ipa: ERROR: Unable to create private group. A group 'myname'
already exists.
How do I get out of this loop?
What is your platform and 389-ds-base version?
I'm not familiar with group-detach, but you can manually detach
and remove the private group using ldapsearch and ldapmodify:
assuming you have done kinit admin:
1) ldapsearch -LLL -Y GSSAPI cn=myname dn
This will give you the DN of the group - ignore any entries in the
compat tree
2) ldapmodify -Y GSSAPI <<EOF
dn: DN of the group from ldapsearch
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy
-
dn: DN of the group from ldapsearch
changetype: delete
EOF
This will remove the private group.
Thanks,
George
_______________________________________________
Freeipa-users mailing list
[email protected] <mailto:[email protected]>
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
