13.4. Disabling User Private Groups
To ensure that IdM does not create a default user private group for a new user, choose one of the following:
Even after you disable creating default user private groups, IdM will still require a GID when adding new users. To ensure that adding the user succeeds, see Section 13.4.3, “Adding a User with User Private Groups Disabled”.
If you want to disable creating default user private groups because of GID conflicts, consider changing the default UID and GID assignment ranges. See Chapter 14, Unique UID and GID Number Assignments.
13.4.1. Creating a User without a User Private Group
--noprivateoption to the ipa user-add command. Note that for the command to succeed, you must specify a custom private group. See Section 13.4.3, “Adding a User with User Private Groups Disabled”.
13.4.2. Disabling User Private Groups Globally for All Users
- Log in as the administrator:
$ kinit admin
- IdM uses the Directory Server Managed Entries Plug-in to manage user private groups. List the instances of the plug-in:
$ ipa-managed-entries --list
- To ensure IdM does not create user private groups, disable the plug-in instance responsible for managing user private groups:
$ ipa-managed-entries -e "UPG Definition" disable Disabling PluginNoteTo re-enable the
UPG Definitioninstance later, use the ipa-managed-entries -e "UPG Definition" enable command.
- Restart Directory Server to load the new configuration.
# systemctl restart dirsrv.target
13.4.3. Adding a User with User Private Groups Disabled
To make sure adding a new user succeeds when creating default user private groups is disabled, choose one of the following:
- Specify a custom GID when adding a new user. The GID does not have to correspond to an already existing user group.For example, when adding a user from the command line, add the
--gidoption to the ipa user-add command.
- Use an automember rule to add the user to an existing group with a GID. See Section 13.6, “Defining Automatic Group Membership for Users and Hosts”.