Group Management
Manage user groups including POSIX and non-POSIX groups with support for nested membership. Groups can contain users, other groups, and Kerberos services. Features include external group membership for Active Directory trust integration, group membership managers for delegated administration, automatic GID assignment, and flexible membership management for organizing users and services.
Overview
Groups in FreeIPA provide flexible mechanisms for organizing users, services, and other groups into logical collections for access control, policy application, and administrative delegation. Groups serve as fundamental building blocks in the IPA authorization model, appearing in HBAC rules, sudo rules, role assignments, and traditional POSIX file permissions.
FreeIPA supports three distinct group types, each serving different use cases within the identity management ecosystem. POSIX groups provide traditional UNIX group functionality with numeric group identifiers for file system permissions and process ownership. Non-POSIX groups offer lightweight organizational containers without file system semantics, useful for policy grouping and IPA-specific authorizations. External groups bridge trust boundaries, allowing users from Active Directory or other trusted domains to be mapped into the local IPA authorization framework.
Groups can contain multiple membership types simultaneously. Direct members include individual user accounts, while nested group membership allows groups to contain other groups, creating hierarchical organizational structures. Service members enable groups to contain Kerberos service principals, useful for managing collections of services with shared access requirements. This flexible membership model supports complex organizational topologies while maintaining clear authorization boundaries.
Group Types and Characteristics
POSIX Groups
POSIX groups represent traditional UNIX groups with numeric group identifiers (GID). These groups appear in file system permissions, process group ownership, and standard UNIX authorization contexts. When IPA clients retrieve user information through SSSD, POSIX group memberships are evaluated and presented to the operating system for access control decisions.
Each POSIX group requires a unique GID number within the IPA domain. IPA automatically assigns GID values from configured ID ranges when not explicitly specified, ensuring uniqueness across the domain. Manual GID assignment is supported for migration scenarios or specific organizational requirements. Changing a group’s GID after creation is possible but requires careful consideration, as existing file system permissions referencing the old GID will not automatically update.
POSIX groups support both direct and nested membership. In traditional POSIX environments, only direct user members are visible through standard system interfaces like getent group. However, IPA’s SSSD integration can optionally resolve nested group membership, making indirect members visible to the operating system based on configuration.
Non-POSIX Groups
Non-POSIX groups provide organizational containers without UNIX group semantics. These groups lack GID numbers and do not appear in traditional file system permissions. Non-POSIX groups are primarily used within IPA’s own authorization model for HBAC rules, sudo rules, role membership, and other IPA-managed policies.
Non-POSIX groups can be converted to POSIX groups using group-mod --posix, which assigns a GID and enables UNIX group functionality. This conversion is one-way; POSIX groups cannot be demoted to non-POSIX status. This design ensures that once a GID is assigned and potentially referenced in file permissions, it remains stable and consistent.
Non-POSIX groups are particularly useful when creating organizational structures that have no file system implications. For example, a “developers” group might be POSIX for file permissions, while a “developers-americas” subgroup might be non-POSIX if it only affects HBAC rules or role assignments.
External Groups
External groups enable integration with Active Directory trusts and other external identity sources. These special groups accept members identified by Security Identifiers (SID) from trusted domains rather than IPA user accounts. External groups must be marked as both non-POSIX and external during creation.
External groups cannot directly participate in POSIX authorization contexts. Instead, they are nested within regular POSIX groups to grant access to trusted domain users. This two-tier model maintains clean separation between external identity sources and local authorization policies. External users authenticate against their home domain but receive authorization through IPA group membership.
When adding external members, FreeIPA accepts several identifier formats: raw SID values, DOMAIN\username format, or username@domain format. IPA attempts to resolve user/group names to SIDs using the trusted domain’s Global Catalog, enabling administrators to use familiar names rather than opaque SID values.
Group Naming Constraints
Group names must follow specific formatting rules enforced at creation and modification:
- Cannot consist solely of numeric digits
- Must begin with a letter, number, underscore (_), or period (.)
- May contain letters, numbers, underscores, periods, or hyphens (-)
- May end with a letter, number, underscore, period, hyphen, or dollar sign ($)
These constraints ensure compatibility with LDAP naming requirements, POSIX group name conventions, and Kerberos principal formatting. Group names are case-sensitive within IPA’s directory but are typically managed in lowercase to avoid confusion.
Group ID (GID) Management
POSIX groups require unique numeric group identifiers. FreeIPA manages GID allocation through configured ID ranges, automatically assigning sequential GID values when not explicitly specified. Manual GID assignment is supported through the --gid option during group creation.
GID changes are supported but have significant implications. File system objects record ownership by numeric GID, not group name. Changing a group’s GID does not update existing file permissions, potentially orphaning files with the old GID. Before modifying a GID, administrators should inventory affected systems and plan permission updates.
IPA enforces GID uniqueness within each ID range. Attempting to create or modify a group with a duplicate GID fails with an error. This ensures that GID-based authorization remains unambiguous across the domain.
Nested Group Membership
Groups can contain other groups as members, creating hierarchical organizational structures. Nested membership enables administrators to build complex authorization topologies while maintaining clear organizational boundaries. For example, “engineering” might contain “developers” and “qa-team” as subgroups, which themselves contain individual user accounts.
In POSIX contexts, nested group resolution behavior depends on SSSD configuration. The ldap_group_nesting_level parameter controls how deeply SSSD resolves nested membership when presenting group information to the operating system. IPA’s HBAC and sudo evaluations always resolve nested groups regardless of SSSD settings.
Circular group membership (A contains B, B contains A) is prevented by IPA’s membership validation logic. Attempting to create circular references fails with an error indicating the membership would create a loop.
Service principals can be group members, enabling administrators to create groups of related services for access control purposes. In POSIX contexts, only user members are visible; service members only affect IPA-specific authorization contexts.
Group Membership Managers
Membership managers enable delegated group administration without granting full group modification privileges. Users or groups designated as membership managers can add or remove members from a specific group but cannot modify other group attributes like description, GID, or group type.
This delegation model supports organizational workflows where team leads manage their team’s membership without requiring full administrative access. For example, a project manager might be designated as membership manager for their project’s group, allowing them to add new team members without involving central IT staff.
Both individual users and groups can be membership managers. Assigning a group as membership manager enables anyone in that manager group to administer the target group’s membership. This creates flexible delegation hierarchies.
Membership managers can add or remove all membership types: users, groups, services, and (for external groups) external SIDs. The membership manager privilege applies uniformly across all member types.
External Group Integration with Active Directory
External groups bridge Active Directory trusts, mapping AD users and groups into IPA’s authorization framework. This integration enables trusted domain users to access IPA-managed resources while maintaining authentication against their home domain.
The typical integration pattern involves three components:
- An external non-POSIX group containing AD SIDs
- A regular POSIX group for authorization
- Nested membership connecting the external group to the POSIX group
When an AD user authenticates, IPA retrieves their SID from the authentication context. If that SID appears in an external group, and that external group is nested within POSIX groups, the user receives the effective permissions of those POSIX groups.
IPA resolves AD user and group names to SIDs using the trusted domain’s Global Catalog. This resolution enables administrators to specify external members using familiar formats (DOMAIN\username or user@domain) rather than opaque SID strings. The resolved SID is stored, ensuring membership remains valid even if the name changes in the trusted domain.
Examples
Basic Group Management
Create a new POSIX group with automatic GID assignment:
ipa group-add --desc='Engineering team' engineering
Create a POSIX group with a specific GID (useful for migration scenarios):
ipa group-add --gid=10000 --desc='Legacy application group' legacyapp
Create a non-POSIX group for IPA-only authorization:
ipa group-add --nonposix --desc='Policy group for HBAC' hbac_users
Convert a non-POSIX group to POSIX (one-way operation):
ipa group-mod --posix hbac_users
Delete a group:
ipa group-del engineering
Display comprehensive group information including all members:
ipa group-show engineering --all
Search for groups matching a pattern:
ipa group-find engineering
Search for all POSIX groups:
ipa group-find --posix
Find groups containing a specific user:
ipa group-find --users=jsmith
Membership Management
Add individual users to a group:
ipa group-add-member --users=jsmith engineering
Add multiple users in a single operation:
ipa group-add-member --users=jsmith --users=alee --users=mchen engineering
Create nested group structure (add group to another group):
ipa group-add --desc='Development team' developers
ipa group-add --desc='QA team' qa_team
ipa group-add-member --groups=developers --groups=qa_team engineering
Add service principals to a group for service management:
ipa group-add-member --services=HTTP/web.example.com engineering
Remove a user from a group:
ipa group-remove-member --users=jsmith engineering
Remove multiple members at once:
ipa group-remove-member --users=jsmith --groups=contractors engineering
Membership Manager Delegation
Designate a user as membership manager (can add/remove members but not modify group attributes):
ipa group-add-member-manager --users=teamlead engineering
Designate a group as membership manager (anyone in the manager group can manage membership):
ipa group-add --desc='Engineering managers' eng_managers
ipa group-add-member-manager --groups=eng_managers engineering
Remove membership manager privileges:
ipa group-remove-member-manager --users=teamlead engineering
External Group Integration with Active Directory
Create external group for mapping AD users:
ipa group-add --external --desc='External AD Domain Admins' ad_domain_admins_external
Create corresponding POSIX group for authorization:
ipa group-add --desc='AD Domain Admins' ad_domain_admins
Add AD users/groups by name (IPA resolves to SID):
ipa group-add-member ad_domain_admins_external --external 'AD\Domain Admins'
ipa group-add-member ad_domain_admins_external --external 'AD\alice'
ipa group-add-member ad_domain_admins_external --external 'bob@ad.example.com'
Link external group to POSIX group for effective permissions:
ipa group-add-member ad_domain_admins --groups ad_domain_admins_external
Verify external group membership (shows resolved SIDs):
ipa group-show ad_domain_admins_external --all
Remove external member:
ipa group-remove-member ad_domain_admins_external --external 'AD\alice'
Advanced Group Operations
Modify group description:
ipa group-mod --desc='Updated description' engineering
Change group GID (impacts existing file permissions):
ipa group-mod --gid=10500 engineering
Detach a user’s private group (created automatically with user account):
ipa group-detach jsmith
Rename a group:
ipa group-mod --rename=engineering_team engineering
Search for groups in specific roles:
ipa group-find --in-roles=helpdesk
Find groups used in HBAC rules:
ipa group-find --in-hbacrules=allow_admins
Use Cases
Department-Based Organizational Structure
Scenario: Organization with engineering, sales, and operations departments needs group hierarchy.
Solution:
# Create top-level department POSIX groups
ipa group-add engineering --desc="Engineering department" --posix
ipa group-add sales --desc="Sales department" --posix
ipa group-add operations --desc="Operations department" --posix
# Create sub-teams as nested groups
ipa group-add backend-dev --desc="Backend developers" --posix
ipa group-add frontend-dev --desc="Frontend developers" --posix
ipa group-add devops --desc="DevOps team" --posix
# Nest sub-teams under departments
ipa group-add-member engineering --groups=backend-dev,frontend-dev,devops
# Add users to sub-teams
ipa group-add-member backend-dev --users=alice,bob
ipa group-add-member frontend-dev --users=charlie,diana
# Users in backend-dev are automatically members of engineering
Active Directory Trust User Integration
Scenario: AD users need access to Linux infrastructure via IPA trust.
Solution:
# Create external group for AD users
ipa group-add ad_linux_users_ext --desc="AD Linux users external" --external
# Add AD group to external group
ipa group-add-member ad_linux_users_ext --external 'AD\Domain Users'
# Create POSIX group for actual authorization
ipa group-add ad_linux_users --desc="AD Linux users" --posix
# Nest external group within POSIX group
ipa group-add-member ad_linux_users --groups=ad_linux_users_ext
# Use ad_linux_users in HBAC, sudo, file permissions
# AD Domain Users members now have POSIX group membership
Delegated Group Management for Team Leads
Scenario: Project managers need to manage their project team membership without admin rights.
Solution:
# Create project group
ipa group-add project-phoenix --desc="Project Phoenix team" --posix
# Create project managers group
ipa group-add project-managers --desc="Project managers" --posix
ipa group-add-member project-managers --users=alice,bob
# Grant project managers membership management rights
ipa group-add-member-manager project-phoenix --groups=project-managers
# Alice and Bob can now add/remove members from project-phoenix
# (as alice)
ipa group-add-member project-phoenix --users=charlie,diana
Service Principal Collections
Scenario: Manage web service principals collectively for certificate operations.
Solution:
# Create non-POSIX group for service collection
ipa group-add web-services --desc="Web application services" --nonposix
# Add service principals to group
ipa group-add-member web-services \
--services=HTTP/web01.example.com \
--services=HTTP/web02.example.com \
--services=HTTP/web03.example.com
# Use group in certificate policies or access controls
# All web services managed collectively
Multi-Tier Access Control
Scenario: Different access levels for junior, senior, and lead engineers.
Solution:
# Create hierarchical access groups
ipa group-add eng-junior --posix
ipa group-add eng-senior --posix
ipa group-add eng-lead --posix
# Create umbrella engineering group
ipa group-add engineering --posix
ipa group-add-member engineering \
--groups=eng-junior,eng-senior,eng-lead
# Add users to appropriate levels
ipa group-add-member eng-junior --users=alice,bob
ipa group-add-member eng-senior --users=charlie,diana
ipa group-add-member eng-lead --users=eve
# Create HBAC rules with different scopes
# Junior: dev servers only
ipa hbacrule-add eng-junior-access
ipa hbacrule-add-user eng-junior-access --groups=eng-junior
ipa hbacrule-add-host eng-junior-access --hostgroups=dev-servers
# Senior: dev + staging
ipa hbacrule-add eng-senior-access
ipa hbacrule-add-user eng-senior-access --groups=eng-senior
ipa hbacrule-add-host eng-senior-access --hostgroups=dev-servers,staging-servers
# Lead: all environments
ipa hbacrule-add eng-lead-access
ipa hbacrule-add-user eng-lead-access --groups=eng-lead
ipa hbacrule-add-host eng-lead-access --hostcat=all
GID-Based File Sharing
Scenario: Shared project directory with group-based permissions.
Solution:
# Create POSIX group for project
ipa group-add project-data --desc="Project data access" --posix --gid=10000
# Add team members
ipa group-add-member project-data --users=alice,bob,charlie
# On file server, create shared directory
mkdir /shared/project-data
chgrp 10000 /shared/project-data
chmod 2770 /shared/project-data # SGID for file ownership
# All group members can read/write files
# New files inherit group ownership due to SGID bit
Migration from Legacy Group Infrastructure
Scenario: Migrating from NIS with existing GID assignments.
Solution:
# Import groups with specific GID values
ipa group-add legacy-users --posix --gid=5000
ipa group-add legacy-admins --posix --gid=5001
ipa group-add legacy-ops --posix --gid=5002
# File ownership on migrated systems matches existing GIDs
# No permission changes needed during migration
Cross-Functional Team with Temporary Access
Scenario: Temporary cross-functional project needs users from multiple departments.
Solution:
# Create temporary project group
ipa group-add temp-migration-2024 --desc="2024 Migration Project" --posix
# Add users from different departments
ipa group-add-member temp-migration-2024 \
--users=eng-alice,sales-bob,ops-charlie
# Grant access to project resources
ipa hbacrule-add migration-access
ipa hbacrule-add-user migration-access --groups=temp-migration-2024
ipa hbacrule-add-host migration-access --hostgroups=migration-servers
# After project completion, remove group
ipa hbacrule-del migration-access
ipa group-del temp-migration-2024
Security Considerations
External group SID trust boundary: External groups accept SIDs from trusted domains. AD trust compromise could inject malicious SIDs gaining unauthorized access. Monitor trust health and audit external group membership.
Nested group privilege escalation: Users in nested groups inherit parent group permissions. Deep nesting hierarchies can obscure actual user permissions. Document group hierarchies clearly and limit nesting depth.
Membership manager delegation risk: Membership managers can add any user to groups. Malicious membership manager could grant themselves access to sensitive resources by adding their account to privileged groups. Grant membership manager status carefully.
GID conflicts enable permission bypass: Duplicate GIDs between groups cause ambiguous file ownership. Unauthorized users could access files if their group shares GID with authorized group. Ensure GID uniqueness.
Service principal group members visibility: Service principals in groups may not be obvious during permission audits. Service compromise could grant unintended access if service belongs to privileged groups. Audit service group memberships.
Group deletion orphans file ownership: Deleting POSIX groups leaves files owned by orphaned GIDs. These files may become accessible to newly created groups receiving the recycled GID. Always audit file ownership before group deletion.
External group name resolution caching: AD user/group names resolve to SIDs at addition time. If AD name changes, SID remains unchanged and membership persists. This can preserve access after AD renames, defeating name-based access revocations.
Non-POSIX to POSIX conversion one-way: Once converted to POSIX, groups cannot revert to non-POSIX. GID assignment is permanent. Plan POSIX conversions carefully as mistakes cannot be undone without recreating groups.
Group naming conflicts across trusts: Groups with same name but different SIDs can exist across trust boundaries. Ambiguous references could target wrong group. Always use fully qualified group names when working across trusts.
Circular membership prevention not foolproof: While direct circular references are blocked, complex multi-hop circular paths might evade detection temporarily. Monitor group membership topology for complex circular patterns.
SSSD group caching staleness: SSSD caches group memberships for performance. Urgent membership revocations may not take effect immediately. Clear SSSD cache for critical access removals: sssctl cache-expire --users=username.
Private groups default creation: User private groups created automatically consume GID space. Long-term deployments may exhaust GID ranges. Plan GID range sizes accommodating expected user growth.
Troubleshooting
Cannot create POSIX group - GID already in use:
# Find which group has the GID
ipa group-find --gid=10000
# Either:
# 1. Use different GID
ipa group-add newgroup --posix --gid=10001
# 2. Delete conflicting group first (if safe)
ipa group-del conflicting-group
ipa group-add newgroup --posix --gid=10000
User not showing as group member on client systems:
# Verify membership in IPA
ipa group-show groupname
# Check on client system
getent group groupname
# If mismatch, clear SSSD cache
sudo sssctl cache-expire --users=username --groups
sudo systemctl restart sssd
# Verify again
id username
External group membership not working for AD users:
# Verify external group created correctly
ipa group-show ad_ext_group
# Should show: External group: True
# Verify SID added correctly
ipa group-show ad_ext_group --all | grep "External member"
# Verify POSIX group nests external group
ipa group-show posix_group | grep "Member groups"
# Test AD user resolution
id 'aduser@ad.example.com'
# Should show posix_group membership
# If not working, clear cache
sudo sssctl cache-expire --everything
Nested group members not visible in POSIX contexts:
# SSSD must be configured to resolve nested groups
# Check SSSD configuration
grep ldap_group_nesting_level /etc/sssd/sssd.conf
# Default is 2, increase if needed
# /etc/sssd/sssd.conf:
[domain/example.com]
ldap_group_nesting_level = 4
sudo systemctl restart sssd
# Test nested resolution
id username
# Should show parent group memberships
Cannot convert non-POSIX group to POSIX:
# Verify group is non-POSIX
ipa group-show groupname | grep "GID"
# If GID already present, already POSIX
# Convert to POSIX
ipa group-mod groupname --posix
# Optionally specify GID
ipa group-mod groupname --posix --gid=10000
# Verify conversion
ipa group-show groupname | grep "GID"
Circular membership error when adding group:
# Symptom: "This entry is already a member"
# Check existing membership
ipa group-show group-a | grep "Member groups"
ipa group-show group-b | grep "Member groups"
# Identify circular path
# If A contains B, cannot add A to B
# Solution: Restructure group hierarchy
# Remove one direction of membership
ipa group-remove-member group-a --groups=group-b
Membership manager cannot add members:
# Verify membership manager status
ipa group-show targetgroup --all | grep "Membership managed by"
# If missing, add membership manager
ipa group-add-member-manager targetgroup --users=manager
# Verify manager can authenticate
# (as manager)
klist
# Retry member addition
ipa group-add-member targetgroup --users=newuser
Group deletion fails - “group is not empty”:
# Remove all members first
ipa group-show groupname
# Note all members
# Remove users
ipa group-remove-member groupname --users=user1,user2
# Remove nested groups
ipa group-remove-member groupname --groups=subgroup1
# Remove services if present
ipa group-remove-member groupname --services=HTTP/host.example.com
# Retry deletion
ipa group-del groupname
GID change causes file permission issues:
# Files owned by old GID become orphaned
# Find files with old GID
find /path -gid 10000 -exec ls -l {} \;
# Update ownership to new GID
find /path -gid 10000 -exec chgrp 10001 {} \;
# Or use group name (if group exists on system)
find /path -group oldname -exec chgrp newgroup {} \;
External member not resolving from AD:
# Verify trust is functional
ipa trust-show ad.example.com
# Test AD name resolution
# From IPA server:
wbinfo --name-to-sid 'AD\Domain Users'
# If resolution fails, trust has issues
# Verify AD connectivity
ping dc.ad.example.com
# Check winbind status
systemctl status sssd
Private group conflicts with organizational group:
# User private groups created automatically
# May conflict with desired group names
# Find conflicting private group
ipa group-find --private
# Either:
# 1. Delete user private group (if safe)
ipa group-del username
# 2. Use different name for organizational group
ipa group-add username-team --posix
Cannot find group by GID:
# group-find doesn't support direct GID search
# List all groups and filter
ipa group-find --posix --all | grep -A5 "GID: 10000"
# Or search for group name if known
ipa group-show groupname | grep GID
Group member count incorrect:
# Count direct vs indirect members
ipa group-show groupname | grep "Member users"
# Check for nested groups
ipa group-show groupname | grep "Member groups"
# Each nested group contributes indirect members
# Total count = direct + all nested memberships
External group SID format errors:
# Symptom: "invalid SID format"
# Use supported formats:
# Raw SID:
ipa group-add-member ext-group --external 'S-1-5-21-xxx-xxx-xxx-512'
# Domain\name:
ipa group-add-member ext-group --external 'AD\Domain Admins'
# user@domain:
ipa group-add-member ext-group --external 'admingroup@ad.example.com'
# Verify SID was added
ipa group-show ext-group --all | grep "External member"
Group appears in multiple unintended contexts:
# Audit group usage across IPA
ipa group-find groupname --in-groups
ipa group-find groupname --in-hbacrules
ipa group-find groupname --in-sudorules
ipa group-find groupname --in-roles
# Remove from unintended contexts
ipa hbacrule-remove-user unwanted-rule --groups=groupname
Best Practices
Group Design and Organization
Use POSIX groups for file system permissions: Any group that needs to control access to files, directories, or processes on UNIX systems must be POSIX. Non-POSIX groups are only useful for IPA-internal authorization contexts like HBAC or sudo rules.
Leverage nested groups for organizational hierarchy: Create broad parent groups (e.g., “engineering”) that contain more specific subgroups (e.g., “developers”, “qa_team”). This enables both broad and granular access controls while maintaining clear organizational structure.
Establish consistent naming conventions: Use prefixes or suffixes to indicate group purpose (e.g., “role_”, “team_”, “app_”). This improves searchability and helps administrators quickly understand group function.
Minimize direct user membership in parent groups: Prefer adding users to specific subgroups rather than parent groups. This makes membership more granular and easier to audit. Parent groups should primarily contain other groups.
GID Management
Allow automatic GID assignment: Unless migrating existing groups or integrating with external systems requiring specific GIDs, let IPA automatically assign GID values. This prevents collisions and maintains consistent allocation.
Document manual GID assignments: When manually specifying GIDs, maintain external documentation recording the assignment rationale and any external dependencies. This prevents future conflicts and aids troubleshooting.
Avoid changing GIDs on active groups: GID changes do not update existing file permissions. If a GID change is necessary, plan for comprehensive permission audits and updates across all systems. Consider creating a new group instead.
Reserve GID ranges for different purposes: If your organization has multiple group categories (e.g., departmental, application, role-based), consider using separate GID ranges to improve organization and prevent future conflicts.
Membership Management
Use membership managers for delegation: Rather than granting full administrative access, designate team leads or managers as membership managers for their groups. This distributes administrative load while maintaining security boundaries.
Audit nested group relationships regularly: Deep or complex nesting can make effective permissions difficult to understand. Periodically review group hierarchies and flatten where possible to improve clarity.
Limit service principal membership: While services can be group members, excessive service membership in user groups can complicate access control logic. Consider separate groups for services unless there’s clear authorization overlap.
Document external group mappings: When integrating Active Directory trusts, maintain clear documentation mapping external groups to POSIX groups. This aids troubleshooting and prevents orphaned external memberships.
Security and Access Control
Minimize membership in privileged groups: Groups like “admins” or those with broad HBAC/sudo access should have minimal membership. Use nested groups to grant privilege selectively rather than adding users directly to high-privilege groups.
Regularly audit group membership: Implement periodic reviews of group membership, especially for groups controlling access to sensitive resources. Remove users who no longer require access.
Use non-POSIX groups for policy-only contexts: If a group only affects HBAC rules, sudo rules, or IPA role membership, make it non-POSIX. This prevents inadvertent file system permission implications.
Protect membership manager privileges: Membership managers have significant control over group composition. Designate managers carefully and review manager assignments regularly.
Integration and Automation
Leverage automember rules: For groups with consistent membership patterns (e.g., all users in a specific department), use automember rules to maintain membership automatically. This reduces administrative overhead and ensures consistency.
Integrate group management with HR systems: Consider scripting group membership updates based on HR system data. This ensures group membership reflects current organizational structure and reduces manual tracking.
Monitor external group SID resolution: When using external groups with AD trusts, periodically verify that SID resolution still functions correctly. Broken trust relationships can cause external members to become orphaned.
Plan for group lifecycle: Establish processes for archiving or removing obsolete groups. Unused groups clutter the directory and can complicate access control audits.
Integration with Other IPA Components
HBAC Rules
Groups appear as user and host categories in HBAC rules, controlling which users can access which hosts and services. Both POSIX and non-POSIX groups function equivalently in HBAC contexts. Nested group membership is fully resolved during HBAC evaluation.
Sudo Rules
Sudo rules reference groups to determine which users can execute privileged commands on which hosts. As with HBAC, nested groups are resolved during sudo policy evaluation, enabling flexible privilege delegation hierarchies.
Role-Based Access Control (RBAC)
IPA roles can have group members, granting all members of the group the role’s privileges. This enables efficient privilege management for teams or departments.
Automember Rules
Automember rules automatically populate group membership based on user or host attributes. For example, all users with a specific department attribute can automatically become members of the department’s group.
User Private Groups
Each user automatically receives a private group with the same name as their username. These groups can be detached using group-detach if organizational policy requires shared primary groups.
Host Groups
While user groups and host groups are separate entities, they follow similar conceptual models. Both support nesting and appear in HBAC/sudo rules, creating parallel organizational structures for users and systems.
Commands
group-add
Usage: ipa [global-options] group-add GROUP-NAME [options]
Create a new group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--desc DESC | Group description |
--gid GID | GID (use this option to set it manually) |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--nonposix | Create as a non-POSIX group |
--external | Allow adding external non-IPA members from trusted domains |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
group-add-member
Usage: ipa [global-options] group-add-member GROUP-NAME [options]
Add members to a group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--external EXTERNAL | Members of a trusted domain in DOM\name or name@domain form |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--services SERVICES | services to add |
--idoverrideusers IDOVERRIDEUSERS | User ID overrides to add |
group-add-member-manager
Usage:
ipa [global-options] group-add-member-manager GROUP-NAME [options]
Add users that can manage members of this group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
group-del
Usage: ipa [global-options] group-del GROUP-NAME [options]
Delete group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
group-detach
Usage: ipa [global-options] group-detach GROUP-NAME [options]
Detach a managed group from a user.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
group-find
Usage: ipa [global-options] group-find [CRITERIA] [options]
Search for groups.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--group-name GROUP-NAME | Group name |
--desc DESC | Group description |
--gid GID | GID (use this option to set it manually) |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--private | search for private groups |
--posix | search for POSIX groups |
--external | search for groups with support of external non-IPA members from trusted domains |
--nonposix | search for non-POSIX groups |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“group-name”) |
--users USERS | Search for groups with these member users. |
--no-users NO-USERS | Search for groups without these member users. |
--groups GROUPS | Search for groups with these member groups. |
--no-groups NO-GROUPS | Search for groups without these member groups. |
--services SERVICES | Search for groups with these member services. |
--no-services NO-SERVICES | Search for groups without these member services. |
--idoverrideusers IDOVERRIDEUSERS | Search for groups with these member User ID overrides. |
--no-idoverrideusers NO-IDOVERRIDEUSERS | Search for groups without these member User ID overrides. |
--in-groups IN-GROUPS | Search for groups with these member of groups. |
--not-in-groups NOT-IN-GROUPS | Search for groups without these member of groups. |
--in-netgroups IN-NETGROUPS | Search for groups with these member of netgroups. |
--not-in-netgroups NOT-IN-NETGROUPS | Search for groups without these member of netgroups. |
--in-roles IN-ROLES | Search for groups with these member of roles. |
--not-in-roles NOT-IN-ROLES | Search for groups without these member of roles. |
--in-hbacrules IN-HBACRULES | Search for groups with these member of HBAC rules. |
--not-in-hbacrules NOT-IN-HBACRULES | Search for groups without these member of HBAC rules. |
--in-sudorules IN-SUDORULES | Search for groups with these member of sudo rules. |
--not-in-sudorules NOT-IN-SUDORULES | Search for groups without these member of sudo rules. |
--membermanager-users MEMBERMANAGER-USERS | Search for groups with these group membership managed by users. |
--not-membermanager-users NOT-MEMBERMANAGER-USERS | Search for groups without these group membership managed by users. |
--membermanager-groups MEMBERMANAGER-GROUPS | Search for groups with these group membership managed by groups. |
--not-membermanager-groups NOT-MEMBERMANAGER-GROUPS | Search for groups without these group membership managed by groups. |
group-mod
Usage: ipa [global-options] group-mod GROUP-NAME [options]
Modify a group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--desc DESC | Group description |
--gid GID | GID (use this option to set it manually) |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--posix | change to a POSIX group |
--external | change to support external non-IPA members from trusted domains |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--rename RENAME | Rename the group object |
group-remove-member
Usage:
ipa [global-options] group-remove-member GROUP-NAME [options]
Remove members from a group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--external EXTERNAL | Members of a trusted domain in DOM\name or name@domain form |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--services SERVICES | services to remove |
--idoverrideusers IDOVERRIDEUSERS | User ID overrides to remove |
group-remove-member-manager
Usage:
ipa [global-options] group-remove-member-manager GROUP-NAME [options]
Remove users that can manage members of this group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
group-show
Usage: ipa [global-options] group-show GROUP-NAME [options]
Display information about a named group.
Arguments
| Argument | Required | Description |
|---|---|---|
GROUP-NAME | yes | Group name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |