[Freeipa-users] Users not inheriting groups

William Graboyes wgraboyes at cenic.org
Fri Aug 1 17:58:14 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thanks for your help,

The group memberships are propagated properly on the server side:

  dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org
  uid: user
  givenname: userfn
  sn: userln
  cn: userfn userln
  displayname: userfn userln
  initials: uu
  homedirectory: /home/user
  gecos: userfn userln
  loginshell: /bin/bash
  krbprincipalname: user at ORG.ORG
  mail: user at cenic.org
  uidnumber: 1080
  gidnumber: 1080
  nsaccountlock: False
  has_password: True
  has_keytab: True
  ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50
  krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA==
  krblastfailedauth: 20140731220341Z
  krblastpwdchange: 20140724210440Z
  krblastsuccessfulauth: 20140731223953Z
  krbloginfailedcount: 0
  krbpasswordexpiration: 20141022210440Z
  krbpwdpolicyreference:
cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org
  memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org
  memberof:
cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org
  memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org
  memberofindirect:
ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org
  memberofindirect:
ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org
  memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org
  memberofindirect:
cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org
  memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org
  memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org
  mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry

This has been scrubbed, the group that is not being seen on the client
side is the rancid group, which is showing up here.

Thanks,
Bill G.

On Fri Aug  1 01:14:32 2014, Jakub Hrozek wrote:
> On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi List,
>>
>> I am running into some odd issues with IPA and users not inheriting
>> all groups they are a member of.
>>
>> I spent a lot of time nesting groups so that when we add a user all of
>> the groups they need with one group setting (a boon for automation).
>> However I am finding a small percentage of users who are in the proper
>> groups in IPA but the server does not pick up all the groups involved,
>> until I add those specific users to the group in question.
>>
>> For clarity:
>>
>> 1) Most users inherit groups fine
>> 2) A small percentage (2-3% discovered so far) Do not inherit one or
>> more of the needed groups.
>> 3) Work around found by adding users directly to group instead of
>> nested in proper group (though less than ideal)
>
> Hi,
>
> let's find out if the group memberships propagated correctly on the
> server side, first, to isolate where the issues is.
>
> Can you run:
>     ipa user-show $faulty_user --all --raw
>
> on the server, or directly ldapsearch the user so we can see if the user
> entry has all the memberof attributes you'd expect?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJT29U1AAoJEJFMz73A1+zr/NwQAJesAFdUa5CimrQr6XPqQzhC
nk42rscNzf613IWA8QNd40Tns8rZ8PMlijdO5KjR4cnRxelvT9es85ik/kNBP+b1
jxqkCEWyhDJ4mu670NN0c1zALeGalpTjg0iezbtrBDulqH68a4BAYL8B4+QqN70v
lBiXw/RznVKuZB/fSyu3KU93plser90kBsQi3xDG+ZZeO9Z3Dk9Fd10+MrxJBsqU
GKd/mcL6KXTatj+WJ+IweM51Ple9ssKmVwLvI9NBbtImt2dxAowbHxzbWxi5zKaj
H0r9ncRGJcGPo0B/FCEOy9N1+r1Dy940vPt/sfFTjuRoEFGdl7UnUu/j9CtVGITM
+q6man2FSD2Vv3f//jYHzEXWZQVRpIhb4TVq9a8ah+TP6fyPeNsK96gSaMOGVos1
rHAx3y92lnqPta3+fO1pdMUaAAWtCaJXbf3m+vsziheID2/+k1ahLEzJUVoubI6S
iMiArFtFUUwwwrM87naWH0pn92obuV3LQpFGm2w9nwvWbSQJCpmDQFwlHcw/vhpM
OWZTmglPTFtlF+44KGBEWRwZp3bDKIV4/KOEUOaFYDAhtwCWDLepzbW1V5jaAAOX
Xm/PK6xTTU07nX1YCsmPephEJxrikXOe4jD6vF4YI2pqzS2dO+hCQuH7HuQ4W4dX
ZHXG7T8q9nlOT/kTJ5Pu
=PEYa
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list