[Freeipa-users] Fedora 16 client not getting group names

Jakub Hrozek jhrozek at redhat.com
Fri Jan 27 16:57:17 UTC 2012 

On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote:
> Hi,
> 
> On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher <sgallagh at redhat.com> wrote:
> > On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote:
> >> Hi,
> >>
> >> I have a Fedora 16 client running sssd-client-1.6.4-1.fc16.x86_64.
> >>
> >> When I run, e.g. id djscott, I do not get the names of the groups:
> >>
> >> -bash-4.2$ id djscott
> >> uid=768(djscott) gid=1002(legacy-group)
> >> groups=1002(legacy-group),1134,1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111
> >>
> >> Is this because they have low GIDs? (These were migrated over from my
> >> old FreeIPA 1 installation and I'd rather not re-number them all).
> >>
> >> Can someone help me to figure out how to retrieve the group names?
> >> This is working fine on the Fedora 15 clients (sssd-1.5.x).
> >
> >
> > This looks to me like you didn't migrate all of the groups. GIF 1002 and
> > 789600001 are both reporting the names correctly, so clearly the client
> > is able to access the FreeIPA server and retrieve groups.
> 
> It's working fine with Fedora 15 clients, so I think that the groups
> were migrated OK.
> 
> > Please try the following and report the results:
> >
> > getent group 1134
> >
> > and also
> > getent group <groupname>
> >
> > where <groupname> is the name that is SUPPOSED to match GID 1134.
> 
> I've just realised that once I've manually looked up the group using
> the name, the id command is 'fixed':
> 
> [root at newton ~]# getent group 1134
> [root at newton ~]# getent group svn-wfdb-swig-matlab
> svn-wfdb-swig-matlab:*:1134:ikaro,djscott
> [root at newton ~]# getent group 1134
> svn-wfdb-swig-matlab:*:1134:ikaro,djscott
> [root at newton ~]# id djscott
> uid=768(djscott) gid=1002(legacy-group)
> groups=1002(legacy-group),1134(svn-wfdb-swig-matlab),1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111
> 
> The initial getent returned no data. But the group info seems OK once
> I've done one lookup.
> 

That's weird, id runs getgrgid() on each of the returned group GIDs

> Maybe the sssd cache is corrupt/out-of-date? How can I refresh it?

WARNING: removing the cache would remove the cached passwords

service sssd stop
rm -f /var/lib/sss/db/cache*.ldb
service sssd start

If the group names still wouldn't show up, can you post logs when
performing the id command?

SSSD 1.7 contains a much more user-friendly way to just mark the entries
in cache as expired using the sss_cache command.

> 
> Thanks,
> 
> Dan
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list