I am hoping to see if someone can tell me what I either need to change or update to get it so that FreeIPA doesn't automatically keep adding all new users that is created automatically to the admin group. I inherited this installation of FreeIPA and so far haven't been able to figure out what either got changed or how to disable this behavior? I am running the latest FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Devin Acosta
Devin Acosta via FreeIPA-users wrote:
I am hoping to see if someone can tell me what I either need to change or update to get it so that FreeIPA doesn't automatically keep adding all new users that is created automatically to the admin group. I inherited this installation of FreeIPA and so far haven't been able to figure out what either got changed or how to disable this behavior? I am running the latest FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Probably the default users group. Try:
$ kinit admin $ ipa config-show |grep 'Default users group'
Can be changed using:
$ ipa config-mod --defaultgroup ipausers
You can probably do this in the UI as well but I'm a CLI guy.
rob
Rob,
That is what confuses me, I show that the default users group is "ipausers", however when I added an account which I just tested it added to admins group. Anything else that could be making it add it to the "admin" group?
[root@ipa01 ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/bash * Default users group: ipausers* Default e-mail domain: m451.tech Search time limit: 2 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=M451.TECH Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC
[root@ipa01 ~]# ipa user-add testuser-devin First name: Devin Last name: Acosta --------------------------- Added user "testuser-devin" --------------------------- User login: testuser-devin First name: Devin Last name: Acosta Full name: Devin Acosta Display name: Devin Acosta Initials: DA Home directory: /home/testuser-devin GECOS: Devin Acosta Login shell: /bin/bash Principal name: testuser-devin@M451.TECH Principal alias: testuser-devin@M451.TECH Email address: testuser-devin@m451.tech UID: 34375527 GID: 34375527 Password: False *Member of groups: ipausers, admins* Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User Administrator, Security Architect, ipa_join Indirect Member of role: ipa_join, helpdesk, IT Security Specialist, sec_netops2, IT Specialist, Security Architect, User Administrator Kerberos keys available: False
On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden rcritten@redhat.com wrote:
Devin Acosta via FreeIPA-users wrote:
I am hoping to see if someone can tell me what I either need to change or update to get it so that FreeIPA doesn't automatically keep adding all new users that is created automatically to the admin group. I inherited this installation of FreeIPA and so far haven't been able to figure out what either got changed or how to disable this behavior? I am running the latest FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Probably the default users group. Try:
$ kinit admin $ ipa config-show |grep 'Default users group'
Can be changed using:
$ ipa config-mod --defaultgroup ipausers
You can probably do this in the UI as well but I'm a CLI guy.
rob
Look at automember rules.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht -------- Van: Devin Acosta via FreeIPA-users freeipa-users@lists.fedorahosted.org Datum: 02-06-17 20:13 (GMT+01:00) Aan: Rob Crittenden rcritten@redhat.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Devin Acosta linuxguru.co@gmail.com Onderwerp: [Freeipa-users] Re: FreeIPA (adding all new users to admin group by default?)
Rob,
That is what confuses me, I show that the default users group is "ipausers", however when I added an account which I just tested it added to admins group. Anything else that could be making it add it to the "admin" group?
[root@ipa01 ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: m451.tech Search time limit: 2 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=M451.TECH Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC
[root@ipa01 ~]# ipa user-add testuser-devin First name: Devin Last name: Acosta --------------------------- Added user "testuser-devin" --------------------------- User login: testuser-devin First name: Devin Last name: Acosta Full name: Devin Acosta Display name: Devin Acosta Initials: DA Home directory: /home/testuser-devin GECOS: Devin Acosta Login shell: /bin/bash Principal name: testuser-devin@M451.TECH Principal alias: testuser-devin@M451.TECH Email address: testuser-devin@m451.tech UID: 34375527 GID: 34375527 Password: False Member of groups: ipausers, admins Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User Administrator, Security Architect, ipa_join Indirect Member of role: ipa_join, helpdesk, IT Security Specialist, sec_netops2, IT Specialist, Security Architect, User Administrator Kerberos keys available: False
On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden <rcritten@redhat.commailto:rcritten@redhat.com> wrote: Devin Acosta via FreeIPA-users wrote:
I am hoping to see if someone can tell me what I either need to change or update to get it so that FreeIPA doesn't automatically keep adding all new users that is created automatically to the admin group. I inherited this installation of FreeIPA and so far haven't been able to figure out what either got changed or how to disable this behavior? I am running the latest FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Probably the default users group. Try:
$ kinit admin $ ipa config-show |grep 'Default users group'
Can be changed using:
$ ipa config-mod --defaultgroup ipausers
You can probably do this in the UI as well but I'm a CLI guy.
rob
Thanks,
That was the problem.
[root@ipa01 ~]# ipa automember-default-group-show Grouping Type: group Default (fallback) Group: cn=admins,cn=groups,cn=accounts,dc=m451,dc=tech [root@ipa01 ~]
Removed that and problem has been fixed.
Thanks much!
On Fri, Jun 2, 2017 at 11:20 AM, wouter.hummelink@kpn.com wrote:
Look at automember rules.
Verzonden vanaf mijn Samsung-apparaat
-------- Oorspronkelijk bericht -------- Van: Devin Acosta via FreeIPA-users freeipa-users@lists.fedorahosted.org
Datum: 02-06-17 20:13 (GMT+01:00) Aan: Rob Crittenden rcritten@redhat.com Cc: FreeIPA users list freeipa-users@lists.fedorahosted.org, Devin Acosta linuxguru.co@gmail.com Onderwerp: [Freeipa-users] Re: FreeIPA (adding all new users to admin group by default?)
Rob,
That is what confuses me, I show that the default users group is "ipausers", however when I added an account which I just tested it added to admins group. Anything else that could be making it add it to the "admin" group?
[root@ipa01 ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/bash
- Default users group: ipausers* Default e-mail domain: m451.tech Search time limit: 2 Search size limit: -1 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=M451.TECH Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:
s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC
[root@ipa01 ~]# ipa user-add testuser-devin First name: Devin Last name: Acosta
Added user "testuser-devin"
User login: testuser-devin First name: Devin Last name: Acosta Full name: Devin Acosta Display name: Devin Acosta Initials: DA Home directory: /home/testuser-devin GECOS: Devin Acosta Login shell: /bin/bash Principal name: testuser-devin@M451.TECH Principal alias: testuser-devin@M451.TECH Email address: testuser-devin@m451.tech UID: 34375527 GID: 34375527 Password: False *Member of groups: ipausers, admins* Roles: IT Security Specialist, sec_netops2, helpdesk, IT Specialist, User Administrator, Security Architect, ipa_join Indirect Member of role: ipa_join, helpdesk, IT Security Specialist, sec_netops2, IT Specialist, Security Architect, User Administrator Kerberos keys available: False
On Fri, Jun 2, 2017 at 11:02 AM, Rob Crittenden rcritten@redhat.com wrote:
Devin Acosta via FreeIPA-users wrote:
I am hoping to see if someone can tell me what I either need to change or update to get it so that FreeIPA doesn't automatically keep adding all new users that is created automatically to the admin group. I inherited this installation of FreeIPA and so far haven't been able to figure out what either got changed or how to disable this behavior? I am running the latest FreeIPA 4.4 on CentOS 7.3.
Any help would be greatly appreciated.
Probably the default users group. Try:
$ kinit admin $ ipa config-show |grep 'Default users group'
Can be changed using:
$ ipa config-mod --defaultgroup ipausers
You can probably do this in the UI as well but I'm a CLI guy.
rob
freeipa-users@lists.fedorahosted.org