[Freeipa-users] deleted ipa admin groups
Rob Crittenden
rcritten at redhat.com
Thu Apr 25 18:16:49 UTC 2013
Sylvain Angers wrote:
>
> Hello
> Someone did delete the admin group by mistake, how can we recover from
> this? No one change password, or any other admin task is allow. But we have the Directory server password.
>
>
> the remaining group is "ipausers" and we had only the default group
>
>
> Please any help will be appreciate
>
We prevent this in newer versions.
This is untested so YMMV.
Try putting this into an LDIF. Change example.com and replace <UID> with
the UID of the old group if you can. If you don't have it then use 999
and a new one should be assigned.
dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
cn: admins
description: Account administrators group
member: uid=admin,cn=users,cn=accounts,dc=example,dc=com
gidNumber: <UID>
# ldapadd -x -D 'cn=Directory Manager' -W < /path/to/ldif
You also may need to fix up some delegations. You can use ipa-show --all
--raw on these privileges to see if admins is a member, I doubt it is.
You want to look at:
Replication Administrators
Host Enrollment
Unlock user accounts
Manage service keytab
If not add it using something like this for each privilege:
# ldapmodify -x -D 'cn=Directory Manager' -w password
dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=example,dc=com
changetype: modify
add: member
member: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
^D
rob
More information about the Freeipa-users
mailing list