On 06/22/2012 09:34 AM, Rich Megginson wrote: > On 06/21/2012 09:11 PM, george he wrote: >> Hello Rich, >> Thanks for the help. This does remove the group so I can add the user >> back. >> But when I try to ssh, as that user, to the machines that the user >> logged on before "ipa user-del", I get "permission denied". >> I removed the user's home directory because it still belongs to the >> deleted UID:GID. After that I still get "permission denied". >> Any suggestions? > > I don't know. I just wanted to make sure you were using > 389-ds-base-1.2.11.5 or .6 or later on F-17 to avoid this "dangling" > private group in the future. >
May there will be some other file on the system owned by the deleted user that ssh tries to read? > >> Thanks again, >> George >> >> ------------------------------------------------------------------------ >> *From:* Rich Megginson <[email protected]> >> *To:* george he <[email protected]> >> *Cc:* "[email protected]" <[email protected]> >> *Sent:* Thursday, June 21, 2012 2:43 PM >> *Subject:* Re: [Freeipa-users] ipa user-add >> >> On 06/21/2012 12:25 PM, george he wrote: >>> Hello all, >>> >>> After the server and the client are installed, I run >>> >>> ipa user-add myname >>> >>> to add users. The users are added successfully, but each user >>> get his own GID, which is the same as his UID, even though "ipa >>> config-show --all" shows >>> Default users group: ipausers >>> >>> How do I put all new users to this ipausers group? If I use >>> --gidnumber=INT, how to find out the GID of the ipausers group? >>> >>> I tried to delete a user using "ipa user-del myname", but the >>> private group myname is left there. So I did the following: >>> >>> # ipa group-del myname >>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>> detached first. >>> # ipa group-detach myname >>> ipa: ERROR: myname: group not found >>> # ipa user-add myname >>> First name: myfirstname >>> Last name: mylastname >>> ipa: ERROR: Unable to create private group. A group 'myname' >>> already exists. >>> >>> How do I get out of this loop? >> >> What is your platform and 389-ds-base version? >> >> I'm not familiar with group-detach, but you can manually detach >> and remove the private group using ldapsearch and ldapmodify: >> >> assuming you have done kinit admin: >> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >> This will give you the DN of the group - ignore any entries in >> the compat tree >> >> 2) ldapmodify -Y GSSAPI <<EOF >> dn: DN of the group from ldapsearch >> changetype: modify >> delete: objectclass >> objectclass: mepManagedEntry >> - >> delete: mepManagedBy >> - >> >> dn: DN of the group from ldapsearch >> changetype: delete >> EOF >> >> This will remove the private group. >>> >>> Thanks, >>> George >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] <mailto:[email protected]> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
