4 04 2017
freeipa: ERROR: Deleting a managed group is not allowed. It must be detached first.
Ran into an issue trying to remove private groups in FreeIPA where it wouldn’t delete it because it was managed, but if you tried to detach it, it said it wasn’t managed..
[root@ipa ~]# ipa group-del privategroup ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. root@ipa ~]# ipa group-detach privategroup ipa: ERROR: Not a managed group
As I wanted to delete all the private groups that were created in the migration from the old system I used the following script to do so:
#!/bin/bash
for group in $(ipa group-find | awk '/User private group/ {print $6}'); do
ldapmodify -Y GSSAPI <<EOF
dn: cn=${group},cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
delete: objectclass
objectclass: mepManagedEntry
-
delete: mepManagedBy
-
dn: cn=${group},cn=groups,cn=accounts,dc=example,dc=com
changetype: delete
EOF
done
And as I wanted to disable private groups completely for new users, I ran the following:
ipa-managed-entries disable -e 'UPG Definition' ipa-managed-entries disable -e 'NGP Definition'
Debugging cron freeipa: ipaNTSecurityIdentifier and ipaNTHash missing.
It should be noted that we need to keep the “-” and the empty line, or you will receive errors like : “ldapmodify: wrong attributeType at line 5”, or “ldapmodify: modify operation type is missing at line 8”