On Red Hat Enterprise Linux systems, every time a user is created, a corresponding, secret user group is automatically created with that new user as its only member. This is a user private group. Using user private groups makes it simpler and safer to manage file and directory permissions because
umask defaults only have to restrict user access, not group access.
When a new user is created in the IdM domain, it is also created with a corresponding private group, following the Red Hat Enterprise Linux convention. For most environments, this is an acceptable default behavior, but there may be certain users or types of users which do not require a private group or the environment may already have those GIDs assigned to NIS groups or other system groups.
9.8.1. Listing User Private Groups
User private groups are specific to a single user and are only used by the system. They are private, so they are not viewable in the IdM UI. However, not every user has a private group, depending on the options when a user is created, so it can be useful to get a list of configured private groups within the IdM user domain. Private groups can be searched and listed by using the
--private option with the group-find command. For example:
[root@server ~]# ipa group-find --private
1 group matched
Group name: jsmith
Description: User private group for jsmith
Number of entries returned 1
9.8.2. Disabling Private Groups for a Specific User
Private group creation can be disabled when a user is created by using the
There is one thing to note when adding a user without a private group: the Linux system still expects a user GID for the new user. However, the one default user group (
) is a non-POSIX group and, therefore, does not have an associated GID. So that the add operation does not fail, it is necessary either to set an explicit user GID with the
option or to create a group with a GID and add the user to that group using an automembership rule
(covered in Chapter 25, Policy: Defining Automatic Group Membership for Users and Hosts
[jsmith@server ~]$ ipa user-add jsmith --first=John --last=Smith
--noprivate --gid 10000
9.8.3. Disabling Private Groups Globally
User private groups are managed through the Managed Entries Plug-in in 389 Directory Server. This plug-in can be disabled, which effectively disables private group creation for all new users.
This is done using the
ipa-managed-entries command to list possible Managed Entries Plug-in definitions. By default, there are two, one for new users (UPG) and one for netgroups (NGP).
[root@ipaserver ~]# ipa-managed-entries --list -p DMpassword
Available Managed Entry Definitions:
Disable the desired Managed Entries Plug-in instance. For example:
[root@ipaserver ~]# ipa-managed-entries -e "UPG Definition" -p DMpassword disable
Restart the 389 Directory Server to load the new plug-in configuration.
[root@ipaserver ~]# service dirsrv restart
Managed Entries Plug-in instances can be re-enabled with the