<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 07/24/2014 11:33 PM, Jatin Nansi wrote: </div> <blockquote cite="mid:53D1D023.3070907@redhat.com" type="cite"> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> What does getent group ose-developers getent group 889000002 on the ipa client show? the client sssd nss and domain logs will log any relevant errors. Jatin </blockquote> Hi Jatin, Beats me but - apparently it's working fine now: $ ssh -Y -l ose-dev1 rhc1.interop.example.com Last login: Thu Jul 24 19:51:19 2014 from xrhc1.interop.example.com Kickstarted on 2013-12-11 [ose-dev1@rhc1 ~]$ getent group ose-developers ose-developers:*:889000002: [ose-dev1@rhc1 ~]$ getent group 889000002 ose-developers:*:889000002: [ose-dev1@rhc1 ~]$ id uid=889000002(ose-dev1) gid=889000002(ose-developers) groups=889000002(ose-developers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I rebooted both IdM servers, client about an hour before - maybe the client had old cache entries? Thanks and sorry for the false alarm. -m <blockquote cite="mid:53D1D023.3070907@redhat.com" type="cite"> <div class="moz-cite-prefix">On 25/07/14 13:22, Mark Heslin wrote: </div> <blockquote cite="mid:53D1CD85.6080209@redhat.com" type="cite"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> Happy Friday, I'm getting this message on login to an IPA client and not sure why: $ ssh -Y -l ose-dev1 rhc1.interop.example.com <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ose-dev1@rhc1.interop.example.com">ose-dev1@rhc1.interop.example.com</a>'s password: Last login: Thu Jul 24 19:46:46 2014 from rhc1.interop.example.com Kickstarted on 2013-12-11 id: cannot find name for group ID 889000002 <--- ??? The group and account were created about 2 months ago on an IdM (RHEL 7) server as follows: <meta http-equiv="CONTENT-TYPE" content="text/html; charset=ISO-8859-1"> <title></title> <meta name="GENERATOR" content="LibreOffice 4.1.6.2 (Linux)"> <style type="text/css">    </style># ipa group-add ose-developers --desc="OpenShift Developers" --gid=889000002 ---------------------------- Added group "ose-developers" ---------------------------- Group name: ose-developers Description: OpenShift Developers GID: 889000002 # ipa user-add ose-dev1 --first="OSE" --last="Dev 1" --displayname="OpenShift Developer 1" --homedir="/home/ose-dev1" --shell="/bin/bash" --uid=889000002 --gidnumber=889000002 --password Password: ******* Enter Password again to verify: --------------------- Added user "ose-dev1" --------------------- User login: ose-dev1 First name: OSE Last name: Dev 1 Full name: OSE Dev 1 Display name: OpenShift Developer 1 Initials: OD Home directory: /home/ose-dev1 GECOS: OSE Dev 1 Login shell: /bin/bash Kerberos principal: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ose-dev1@INTEROP.EXAMPLE.COM">ose-dev1@INTEROP.EXAMPLE.COM</a> Email address: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ose-dev1@interop.example.com">ose-dev1@interop.example.com</a> UID: 889000002 GID: 889000002 Password: True Member of groups: ipausers Kerberos keys available: True On the IdM server, when I run 'group-show', 'group-find' I get: <meta http-equiv="CONTENT-TYPE" content="text/html; charset=ISO-8859-1"> <title></title> <meta name="GENERATOR" content="LibreOffice 4.1.6.2 (Linux)"> <style type="text/css">  </style># ipa group-show ose-developers Group name: ose-developers Description: OpenShift Developers GID: 889000002 # ipa group-find ose-developers --------------- 1 group matched --------------- Group name: ose-developers Description: OpenShift Developers GID: 889000002 ---------------------------- Number of entries returned 1 ---------------------------- and 'user-show' returns: # ipa user-show ose-dev1 User login: ose-dev1 First name: OSE Last name: Dev 1 Home directory: /home/ose-dev1 Login shell: /bin/bash Email address: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ose-dev1@interop.example.com">ose-dev1@interop.example.com</a> UID: 889000002 GID: 889000002 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True so clearly the groups, user entries are correct in IdM. On first login, the homedir is created but the group name is not resolved: $ pwd /home/ose-dev1 [ose-dev1@xrhc1 ~]$ ls -lad . drwxr-xr-x. 3 ose-dev1 889000002 4096 Jul 24 19:51 . $ id uid=889000002(ose-dev1) gid=889000002 groups=889000002 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Is there some other client side lookup issue that is causing this? Why doesn't gid=889000002 map to (ose-developers)? Thanks! -m <pre class="moz-signature" cols="72">-- Red Hat Reference Architectures Follow Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://twitter.com/RedHatRefArch">https://twitter.com/RedHatRefArch</a> Plus Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://plus.google.com/u/0/b/114152126783830728030/">https://plus.google.com/u/0/b/114152126783830728030/</a> Like Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.facebook.com/rhrefarch">https://www.facebook.com/rhrefarch</a> </pre> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> <pre class="moz-signature" cols="72">-- Red Hat Reference Architectures Follow Us: <a class="moz-txt-link-freetext" href="https://twitter.com/RedHatRefArch">https://twitter.com/RedHatRefArch</a> Plus Us: <a class="moz-txt-link-freetext" href="https://plus.google.com/u/0/b/114152126783830728030/">https://plus.google.com/u/0/b/114152126783830728030/</a> Like Us: <a class="moz-txt-link-freetext" href="https://www.facebook.com/rhrefarch">https://www.facebook.com/rhrefarch</a> </pre> </body> </html>