Product SiteDocumentation Site

5.6. Managing User Private Groups

On Fedora systems, every time a user is created, a corresponding, secret user group is automatically created with that new user as its only member. This is a user private group. Using user private groups makes it simpler and safer to manage file and directory permissions because umask defaults only have to restrict user access, not group access.
When a new user is created in the FreeIPA domain, it is also created with a corresponding private group, following the Fedora convention. For most environments, this is an acceptable default behavior, but there may be certain users or types of users which do not require a private group or the environment may already have those GIDs[1] assigned to NIS groups or other system groups.

5.6.1. Disabling Private Groups for a Specific User

Private group creation can be disabled when the user is created by using the --noprivate option.
[jsmith@server ~]$ ipa user-add jsmith --first=John --last=Smith --noprivate

5.6.2. Disabling Private Groups Globally

User private groups are managed through the Managed Entries Plug-in in 389 Directory Server. This plug-in can be disabled, which effectively disables private group creation for all new users.
This is done using the ipa-managed-entries command.
  1. Use the ipa-managed-entries command to list possible Managed Entries Plug-in definitions. By default, there are two, one for new users (UPG) and one for netgroups (NGP).
    [root@ipaserver ~]# ipa-managed-entries --list -p DMpassword
    Available Managed Entry Definitions:
    UPG Definition
    NGP Definition
  2. Disable the desired Managed Entries Plug-in instance. For example:
    [root@ipaserver ~]# ipa-managed-entries -e "UPG Definition" -p DMpassword disable
    Disabling Plugin
  3. Restart the 389 Directory Server to load the new plug-in configuration.
    [root@ipaserver ~]# service dirsrv restart
Managed Entries Plug-in instances can be re-enabled with the enable option.

[1] See Section 5.7, “Managing Unique UID and GID Number Assignments” for information on changing GID/UID assignment ranges.