9.8. Managing User Private Groups

On Red Hat Enterprise Linux systems, every time a user is created, a corresponding, secret user group is automatically created with that new user as its only member. This is a user private group. Using user private groups makes it simpler and safer to manage file and directory permissions because umask defaults only have to restrict user access, not group access.
When a new user is created in the IdM domain, it is also created with a corresponding private group, following the Red Hat Enterprise Linux convention. For most environments, this is an acceptable default behavior, but there may be certain users or types of users which do not require a private group or the environment may already have those GIDs[3] assigned to NIS groups or other system groups.

9.8.1. Listing User Private Groups

User private groups are specific to a single user and are only used by the system. They are private, so they are not viewable in the IdM UI. However, not every user has a private group, depending on the options when a user is created, so it can be useful to get a list of configured private groups within the IdM user domain. Private groups can be searched and listed by using the --private option with the group-find command. For example:
[root@server ~]# ipa group-find --private
1 group matched
  Group name: jsmith
  Description: User private group for jsmith
  GID: 1084600001
Number of entries returned 1

9.8.2. Disabling Private Groups for a Specific User

Private group creation can be disabled when a user is created by using the --noprivate option.
There is one thing to note when adding a user without a private group: the Linux system still expects a user GID for the new user. However, the one default user group (ipausers) is a non-POSIX group and, therefore, does not have an associated GID. So that the add operation does not fail, it is necessary either to set an explicit user GID with the --gid option or to create a group with a GID and add the user to that group using an automembership rule (covered in Chapter 25, Policy: Defining Automatic Group Membership for Users and Hosts).
[jsmith@server ~]$ ipa user-add jsmith --first=John --last=Smith --noprivate --gid 10000

9.8.3. Disabling Private Groups Globally

User private groups are managed through the Managed Entries Plug-in in 389 Directory Server. This plug-in can be disabled, which effectively disables private group creation for all new users.
This is done using the ipa-managed-entries command.
  1. Use the ipa-managed-entries command to list possible Managed Entries Plug-in definitions. By default, there are two, one for new users (UPG) and one for netgroups (NGP).
    [root@ipaserver ~]# ipa-managed-entries --list -p DMpassword
    Available Managed Entry Definitions:
    UPG Definition
    NGP Definition
  2. Disable the desired Managed Entries Plug-in instance. For example:
    [root@ipaserver ~]# ipa-managed-entries -e "UPG Definition" -p DMpassword disable
    Disabling Plugin
  3. Restart the 389 Directory Server to load the new plug-in configuration.
    [root@ipaserver ~]# service dirsrv restart
Managed Entries Plug-in instances can be re-enabled with the enable option.

[3] See Section 9.9, “Managing Unique UID and GID Number Assignments” for information on changing GID/UID assignment ranges.