Local group creation fails if the same group name exists in ldap
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Issue
- Creation of local group failed, if the same group name is present in AD / ldap
Resolution
-
User/Group collision is not supported/recommended i.e. ideally there should not be user/group with same name locally as well as in external centralised database such as NIS/LDAP/AD: Are user/group collisions supported in Red Hat Enterprise Linux?
-
As a temporary solution, create a local group first and then join/integrate system to AD domain.
-
Or if the linux system is already integrated with AD domain, then temporarily adjust entry in
/etc/nsswitch.conffile from:
group: file sss
to:
group: files
And then try creating a local group.
Root Cause
- This is expected behaviour & has been documenated in
# man groupadd:
If the groupname already exists in an external group database such as NIS or LDAP, groupadd will deny the group creation request.
Diagnostic Steps
- "testgroup" is currently created on the Active Directory / ldap:
$ getent group testgroup
testgroup:*:1182060217:ab.example.com,bc.example.com
- To check if testgroup is present in /etc/group
$ grep testgroup /etc/group
$
- Try to create a local group named "testgroup"
# groupadd testgroup
groupadd: group 'testgroup' already exists
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments