Assuming it's fairly chaotic across your systems. You may just need to
brute-force it. Before adding to IPA, you'll just need to map
oldGID->newGID, then do something like find/exec/chown. You can do the same
with groups. If you want to get fancier, have the script do the mapping.
On Wed, Oct 23, 2019 at 8:14 PM Jason Dunham <jwdunham(a)gmail.com> wrote:
Oh yes, it's clear, but I just don't know if I'm setting
myself up for
problems if I set a freeipa gid or uid to a value that already existed on
the host before it was turned into a freeipa client. That's already a
problem with my users since they have different uids on the hosts if they
were useradd-ed in a different order. However I'm sure that if I just
change uids in the /etc/passwd file to match freeipa then all the existing
file ownerships will be messed up.
I was hoping there is a standard way to deal with this and that I just
didn't find the right page in the docs.
On Wed, Oct 23, 2019 at 2:37 PM John Duino <jduino(a)oblong.com> wrote:
> You can specify the GID when you create user groups in freeIPA.
> In the GUI it's very clear (Group name[required], Description, Group
> Type, GID).
> CLI it's something like # ipa group-add <group name> --gid=<GID>
>
> On Wed, Oct 23, 2019 at 3:12 PM Jason Dunham via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Hi I'm trying to figure out the best practice for groups on my client
>> servers.
>> I have several computation workstation hosts that have been added as
>> freeipa clients, and several engineers who want to run docker on them
>> Members of the 'docker' group (gid=999 on some machines, for example)
>> can run docker without needing sudo, which is what I want to roll out to
>> all machines. Ideally this would be managed from freeipa with LDAP groups,
>> and so anyone in the 'engineers' group should also be a member of the
>> 'docker' group.
>>
>> When I create a 'docker' group on freeIPA it will have some other gid
>> and the client sees that.
>> Should I just delete the original docker group from my hosts and let it
>> get it from ldap, or should I go into /etc/group and change the gid to the
>> one that matches the right ldap gid, or preferably something easier than
>> that?
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>
>