[Freeipa-users] Group membership not populated

Darren Poulson darren.poulson at genesys.com
Fri Nov 14 15:07:29 UTC 2014 

> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com]
> Sent: 14 November 2014 14:56
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Group membership not populated
> 
> On Fri, Nov 14, 2014 at 12:10:59PM +0000, Darren Poulson wrote:
> > Hi,
> >
> > I'm currently having an issue where if I log in as a user on a freshly rebooted machine, their group membership > is not populated, so things like sudo do not work properly. If I do a getent group <group>, log out and log back in > again, then it works properly.
> >
> > for example
> >
> > -sh-4.1$ groups dpoulson
> > dpoulson : dpoulson ops_admins helpdesk
> > -sh-4.1$ getent group ops_users
> > ops_users:*:50130:dpoulson,anotheruser,andanother,etc
>
> Is ops_users an IPA group that dpoulsen is a member of (or maybe some AD
> trust group or a local UNIX group)?
>

An IPA group, no AD or other funkiness in this set up yet. 

> > -sh-4.1$ groups dpoulson
> > dpoulson : dpoulson ops_admins helpdesk ops_users
> > -sh-4.1$ groups
> > dpoulson ops_admins helpdesk
> >
> > <logout/login>
> >
> > -sh-4.1$ groups
> > dpoulson helpdesk ops_admins ops_users
>
> Taking the missing ops_users group out of the picture, this is expected,
> memberships are set on login only.
>
Agreed.

> >
> > (the user is actually meant to be a member of 6 groups)
>
> Can you paste ipa user-show dpoulson?

[root at freeipa1-01 ~]# ipa user-show dpoulson
  User login: dpoulson
  First name: Darren
  Last name: Poulson
  Home directory: /home/dpoulson
  Login shell: /bin/sh
  Email address: dpoulson at genesys.com
  UID: 50004
  GID: 50004
  Telephone Number: 123-555-1234
  Account disabled: False
  Password: True
  Member of groups: admins, ipausers, helpdesk, sbmonitor_users, ops_users, ops_admins
  Indirect Member of role: helpdesk
  Indirect Member of Sudo rule: sudo_admins
  Indirect Member of HBAC rule: allow_all
  Kerberos keys available: True
  SSH public key fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX darren.poulson at genesys.com (ssh-rsa)


Cheers,

Darren.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list