On Thu, 2019-05-16 at 22:30 +0000, Jim Rice via FreeIPA-users wrote:
I have a host (lucee) and a user (ricky).
I want to allow ricky to modify files on lucee owned by a group (admins).
How is this accomplished using the freeIPA server?
You create a POSIX group on the FreeIPA server and assign the user to
I tried adding the host, and the user, then created a user group and
added the user to it.
The user group was added to the host.
Hosts are irrelevant for user groups.
The user is able to login to the host, but is not able to modify
group owned files,
and the group admins does not show up in his id ...
uid=158600004(ricky) gid=158600004(ricky) groups=158600004(ricky),158600005(devops)
did you log out and then log in again?
Group memberships are set on the parent process (shell) at login time
and never changed for the duration of a session.
There is an entry in the local /etc/group file:
Is this the wrong approach?
You "can" use a local group, but if you want the same group on all
hosts then you should create such group on the server.
If you do want the group only on that host then you do not need to
create anything on the IPA server. You still need to logout and login
again whenever you change anything about the user or the groups.
When the User Group is being added, there is a Group Type selection.
What is the difference between Non-POSIX, External, and POSIX?
Non-posix is just an organizational group in FreeIPA, it won't show up
as a group on hosts. You can use it for HBAC rules for example so that
you do not pollute the hosts with groups that never are used for file
External groups are special glue groups used to get users from trusted
AD domains into IPA groups.
Posix groups are the groups used to grant file access on hosts, as they
have a GID number.
Would I need to set the GID to 2000 in freeIPA, or something else?
If you have pre-existing files and do not want to chgrp to change the
GID everywhere then yes you would do that, assuming you want the group
to be domain wide as mentioned above.
(Actually, is you select External, the GID becomes grayed out.)
I can't seem to find any documentation on how to set this up.
Sr. Principal Software Engineer
Red Hat, Inc