Hi all,
Working on NFS access for local system accounts I found that one NFS client was only able to use a primary group to gain access to an NFS share via group privileges, and not a secondary group.
But now, I’ve run into an issue where I need to grant others access to the same files, and their use of secondary group membership isn’t a problem. So now I’m considering if I can change the private group to a normal group and still have it as the primary group for the system account.
I don’t want to have to change the group ownership of 10TB of files and folders again as this takes a long time. So the gid must stay ideally stay the same. Can I:
Change the group type, so it shows up in the IPA GUI and add another group to it. Delete the private group and recreate it as a normal group with the same gid and name?
Or am I screwed and need to remove the user and group and recreate them from scratch?
Thanks, Djerk Geurts
Djerk Geurts via FreeIPA-users wrote:
Hi all,
Working on NFS access for local system accounts I found that one NFS client was only able to use a primary group to gain access to an NFS share via group privileges, and not a secondary group.
But now, I’ve run into an issue where I need to grant others access to the same files, and their use of secondary group membership isn’t a problem. So now I’m considering if I can change the private group to a normal group and still have it as the primary group for the system account.
I don’t want to have to change the group ownership of 10TB of files and folders again as this takes a long time. So the gid must stay ideally stay the same. Can I:
- Change the group type, so it shows up in the IPA GUI and add another group to it.
- Delete the private group and recreate it as a normal group with the same gid and name?
Or am I screwed and need to remove the user and group and recreate them from scratch?
On the cli you can do: ipa group-detach <group>
There is no equivalent attach command to convert a non-private group into a private one (except a toy I made on my blog).
rob
Is detaching all I need to do?
On 6 Jun 2024, 14:43, at 14:43, Rob Crittenden rcritten@redhat.com wrote:
Djerk Geurts via FreeIPA-users wrote:
Hi all,
Working on NFS access for local system accounts I found that one NFS client was only able to use a primary group to gain access to an NFS share via group privileges, and not a secondary group.
But now, I’ve run into an issue where I need to grant others access
to
the same files, and their use of secondary group membership isn’t a problem. So now I’m considering if I can change the private group to
a
normal group and still have it as the primary group for the system
account.
I don’t want to have to change the group ownership of 10TB of files
and
folders again as this takes a long time. So the gid must stay ideally stay the same. Can I:
- Change the group type, so it shows up in the IPA GUI and add
another
group to it.
- Delete the private group and recreate it as a normal group with
the
same gid and name?
Or am I screwed and need to remove the user and group and recreate
them
from scratch?
On the cli you can do: ipa group-detach <group>
There is no equivalent attach command to convert a non-private group into a private one (except a toy I made on my blog).
rob
Djerk Geurts wrote:
Is detaching all I need to do?
Yes.
It removes the MEP entries from the group and the user which is what attaches them and adds the appropriate objectclasses to the group so it can contain members.
rob
On 6 Jun 2024, at 14:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Djerk Geurts via FreeIPA-users wrote: Hi all, Working on NFS access for local system accounts I found that one NFS client was only able to use a primary group to gain access to an NFS share via group privileges, and not a secondary group. But now, I’ve run into an issue where I need to grant others access to the same files, and their use of secondary group membership isn’t a problem. So now I’m considering if I can change the private group to a normal group and still have it as the primary group for the system account. I don’t want to have to change the group ownership of 10TB of files and folders again as this takes a long time. So the gid must stay ideally stay the same. Can I: * Change the group type, so it shows up in the IPA GUI and add another group to it. * Delete the private group and recreate it as a normal group with the same gid and name? Or am I screwed and need to remove the user and group and recreate them from scratch? On the cli you can do: ipa group-detach <group> There is no equivalent attach command to convert a non-private group into a private one (except a toy I made on my blog). rob
Hi Rob,
Thank you, that was easy and pain free. Much obliged!
Thanks, Djerk
On 6 Jun 2024, at 15:34, Rob Crittenden rcritten@redhat.com wrote:
Djerk Geurts wrote:
Is detaching all I need to do?
Yes.
It removes the MEP entries from the group and the user which is what attaches them and adds the appropriate objectclasses to the group so it can contain members.
rob
On 6 Jun 2024, at 14:43, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Djerk Geurts via FreeIPA-users wrote:
Hi all, Working on NFS access for local system accounts I found that one NFS client was only able to use a primary group to gain access to an NFS share via group privileges, and not a secondary group. But now, I’ve run into an issue where I need to grant others access to the same files, and their use of secondary group membership isn’t a problem. So now I’m considering if I can change the private group to a normal group and still have it as the primary group for the system account. I don’t want to have to change the group ownership of 10TB of files and folders again as this takes a long time. So the gid must stay ideally stay the same. Can I: * Change the group type, so it shows up in the IPA GUI and add another group to it. * Delete the private group and recreate it as a normal group with the same gid and name? Or am I screwed and need to remove the user and group and recreate them from scratch?
On the cli you can do: ipa group-detach <group>
There is no equivalent attach command to convert a non-private group into a private one (except a toy I made on my blog).
rob
freeipa-users@lists.fedorahosted.org