Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It's pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),66400044(gr oup4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can't change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
.I could make 2,500 groups for 2,500 users.
Regards,
Aaron
Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It’s pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),66400044(group4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can’t change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
…I could make 2,500 groups for 2,500 users…
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
rob
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
No, it's the gid of the user, so exists only as a private user group.
-----Original Message----- From: Rob Crittenden [mailto:rcritten@redhat.com] Sent: Thursday, 7 December 2017 3:59 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Aaron Hicks aaron.hicks@nesi.org.nz Subject: Re: [Freeipa-users] User's personal group not resolving
Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It’s pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),66400 044(group4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can’t change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
…I could make 2,500 groups for 2,500 users…
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
rob
Aaron Hicks wrote:
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
No, it's the gid of the user, so exists only as a private user group.
If you migrated from another LDAP server then there is no user-private group. You just have a gidNumber value set in their user entry which is why no group appears via nss. You need to create a unique group for each user with a matching gid.
rob
-----Original Message----- From: Rob Crittenden [mailto:rcritten@redhat.com] Sent: Thursday, 7 December 2017 3:59 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Aaron Hicks aaron.hicks@nesi.org.nz Subject: Re: [Freeipa-users] User's personal group not resolving
Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It’s pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),66400 044(group4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can’t change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
…I could make 2,500 groups for 2,500 users…
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
rob
Hi Rob,
We figured out there were a relatively small number of id clashes between uids and gids between users and groups and have resolved most of them, we're now working on making gidNumber = uidNumber with a python script calling user-mod via the FreeIPA API. It's looking good in our test environment.
I think, with hindsight, gidNumber != uidNumber is a Bad Idea™ and maybe we should discourage directory administrators to not do it.
Regards,
Aaron
-----Original Message----- From: Rob Crittenden [mailto:rcritten@redhat.com] Sent: Thursday, 7 December 2017 9:54 AM To: Aaron Hicks aaron.hicks@nesi.org.nz; 'FreeIPA users list' freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] User's personal group not resolving
Aaron Hicks wrote:
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
No, it's the gid of the user, so exists only as a private user group.
If you migrated from another LDAP server then there is no user-private group. You just have a gidNumber value set in their user entry which is why no group appears via nss. You need to create a unique group for each user with a matching gid.
rob
-----Original Message----- From: Rob Crittenden [mailto:rcritten@redhat.com] Sent: Thursday, 7 December 2017 3:59 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Aaron Hicks aaron.hicks@nesi.org.nz Subject: Re: [Freeipa-users] User's personal group not resolving
Aaron Hicks via FreeIPA-users wrote:
Hello the list,
We imported all our users with uidnumbers from our old LDAP, but their gidNumber was from 4 groups. This caused us issues with users wanting to grant access to personal spaces to one user, but instead granting access to all the members of the group.
To resolve this, when they were imported into FreeIPA we assigned them all new gidNumbers, as reusing their uidNumbers caused large number of gidNumber clashes as many groups were assigned from the same integer range. So now we have a log of users with uidNumber 5XXX and gidNumber 5000XXX.
When they log in they see an error like this:
/usr/bin/id: cannot find name for group ID 100019
It’s pretty much because their gidNumber != uidNumber
So getting all the name and group details:
[username@ipaserver01:~] $ id username
uid=5807(username) gid=100019 groups=100019,66400035(group1),66400007(group2),66400012(group3),6640 0 044(group4),175321(group5),2075295(group6),66400046(group7)
[username@ipaserver01:~] 2 $ id -g username
100019
[username@ipaserver01:~] $ getent group 5807
username:*:5807:
[username@ipaserver01:~] $ getent group 100019
[username@ipaserver01:~] $
Now, the last part, we can’t change their uidNumber. We have a massive filesystem (many terabytes) backed by a tape library (many petabytes) so we need their uidNumber to match that file archived to tape in 1987 and migrated through our tape system upgrades :P
So the question is; can we make it resolve those gidNumbers?
…I could make 2,500 groups for 2,500 users…
Does a group with gidNumber 100019 exist in IPA? It sounds like it doesn't. Is that what you mean by creating the groups?
rob
freeipa-users@lists.fedorahosted.org