Hello, I'm a bit confused with the private user groups. If I set a user's A uidNumber to the gidNumber of another group B (not a private user one) then the user will have the same uidNumber with two groups' gidNumbers the group B and their own private group. How does this affect ldapsearch if I'd like to retrieve the group B and not the private group based on gid? Are there going to be other side effects? Also, from what I've understood the private user groups are used to manage rights, so I guess we cannot choose to delete them or at least chose to have them created as non POSIX, right? Thank you very much, Mary
Mary Georgiou via FreeIPA-users wrote:
Hello, I'm a bit confused with the private user groups. If I set a user's A uidNumber to the gidNumber of another group B (not a private user one) then the user will have the same uidNumber with two groups' gidNumbers the group B and their own private group. How does this affect ldapsearch if I'd like to retrieve the group B and not the private group based on gid? Are there going to be other side effects? Also, from what I've understood the private user groups are used to manage rights, so I guess we cannot choose to delete them or at least chose to have them created as non POSIX, right? Thank you very much,
I'm not going to directly answer your questions but I hope that I can explain how private groups work and that it will helpful.
POSIX requires a user to have a uid and a gid. You can have some common gid (say for the group ipausers) but then you can end up with a huge, unmanageable group (trust me on this one).
Or you can create a group with the same gid as uid and assign only the user to that. Red Hat-based distros had been doing that for quite some time before IPA came long.
IPA took a similar route except made it so that these private groups cannot contain members. And since they can't contain members why show them by default in group-find? And isn't that sooo much nicer to only see the groups you really care about and not a bunch of no-member user groups?
Otherwise private groups aren't used for anything at all. It is just each individual user's playground.
If you want to make a private group non-private for some reason you can use the command ipa group-detach. There is no re-attach equivalent so use this wisely. I have a blog entry on how to do it, https://rcritten.wordpress.com/2018/09/05/migration-and-user-private-groups/ but I was just curious if it could be done, don't consider this supported.
rob
Thank you very much for the detailed answer. I think I got a grasp of the concept. It helped a lot! Cheers Mary
freeipa-users@lists.fedorahosted.org