Thanks,
That was the problem.
[root@ipa01 ~]# ipa automember-default-group-show
Grouping Type: group
Default (fallback) Group: cn=admins,cn=groups,cn=accounts,dc=m451,dc=tech
[root@ipa01 ~]
Removed that and problem has been fixed.
Thanks much!
On Fri, Jun 2, 2017 at 11:20 AM, <wouter.hummelink(a)kpn.com> wrote:
Look at automember rules.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht --------
Van: Devin Acosta via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Datum: 02-06-17 20:13 (GMT+01:00)
Aan: Rob Crittenden <rcritten(a)redhat.com>
Cc: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>, Devin
Acosta <linuxguru.co(a)gmail.com>
Onderwerp: [Freeipa-users] Re: FreeIPA (adding all new users to admin
group by default?)
Rob,
That is what confuses me, I show that the default users group is
"ipausers", however when I added an account which I just tested it added to
admins group. Anything else that could be making it add it to the "admin"
group?
[root@ipa01 ~]# ipa config-show
Maximum username length: 32
Home directory base: /home
Default shell: /bin/bash
* Default users group: ipausers*
Default e-mail domain: m451.tech
Search time limit: 2
Search size limit: -1
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=M451.TECH
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:
s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: nfs:NONE, MS-PAC
[root@ipa01 ~]# ipa user-add testuser-devin
First name: Devin
Last name: Acosta
---------------------------
Added user "testuser-devin"
---------------------------
User login: testuser-devin
First name: Devin
Last name: Acosta
Full name: Devin Acosta
Display name: Devin Acosta
Initials: DA
Home directory: /home/testuser-devin
GECOS: Devin Acosta
Login shell: /bin/bash
Principal name: testuser-devin(a)M451.TECH
Principal alias: testuser-devin(a)M451.TECH
Email address: testuser-devin(a)m451.tech
UID: 34375527
GID: 34375527
Password: False
*Member of groups: ipausers, admins*
Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist,
User Administrator, Security Architect, ipa_join
Indirect Member of role: ipa_join, helpdesk, IT Security Specialist,
sec_netops2, IT Specialist, Security Architect, User Administrator
Kerberos keys available: False
On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden <rcritten(a)redhat.com>
wrote:
> Devin Acosta via FreeIPA-users wrote:
> >
> > I am hoping to see if someone can tell me what I either need to change
> > or update to get it so that FreeIPA doesn't automatically keep adding
> > all new users that is created automatically to the admin group. I
> > inherited this installation of FreeIPA and so far haven't been able to
> > figure out what either got changed or how to disable this behavior? I am
> > running the latest FreeIPA 4.4 on CentOS 7.3.
> >
> > Any help would be greatly appreciated.
>
> Probably the default users group. Try:
>
> $ kinit admin
> $ ipa config-show |grep 'Default users group'
>
> Can be changed using:
>
> $ ipa config-mod --defaultgroup ipausers
>
> You can probably do this in the UI as well but I'm a CLI guy.
>
> rob
>