[Freeipa-users] Groups

[Simo Sorce]

On 06/10/15 13:14, Rob Crittenden wrote:
> Sean Hogan wrote:
>> Hello,
>>
>> I have been rolling out an IPA deployment for IBM Watson for the past 3
>> months. Initially I did not want to take on application ids (linux OS
>> Ids owning apps). I now have to so I have created the accounts in IPA
>> however new files created by user wdadeploy are being created with
>> wdadeploy:wdadeploy where the app team wants new files owned
>> wdadeploy:wdaadmins. Is there a way to accomplish this? I wanted the
>> application IDs to stay local but they want to see if this works.
>
> By default IPA creates users with a user-private group. This is a POSIX
> group that cannot have members with the same name as the user (and the
> UID and GID will match).
>
> SSSD gets the primary group from the GID attribute in the user so you
> have a couple of options that I can see:
>
> 1. Modify the user to set the GID to the GID of wdaadmins
> 2. 1. and also detach the private group from the user since it isn't
> being used any more (and you can delete it if you know you'll never use
> it). Note that once detached it can never be re-attached (or not via any
> IPA-provided tools anyway).
>
> Now strictly speaking I don't think that wdadeploy needs to be a member
> of wdaadmins for this to work but that would probably be quite confusing
> in the long-run.
>
> Use the id command to confirm that the gid resolves to wdaadmins.

Another option is to keep stuff as it is in IPA and use file system 
default ACLs so that wdaadmins get read/write or whatever access on the 
files wdadeploy creates.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York