[Freeipa-users] Group membership not populated

Jakub Hrozek jhrozek at redhat.com
Fri Nov 14 15:14:14 UTC 2014 

On Fri, Nov 14, 2014 at 03:07:29PM +0000, Darren Poulson wrote:
> > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com]
> > Sent: 14 November 2014 14:56
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Group membership not populated
> > 
> > On Fri, Nov 14, 2014 at 12:10:59PM +0000, Darren Poulson wrote:
> > > Hi,
> > >
> > > I'm currently having an issue where if I log in as a user on a freshly rebooted machine, their group membership > is not populated, so things like sudo do not work properly. If I do a getent group <group>, log out and log back in > again, then it works properly.
> > >
> > > for example
> > >
> > > -sh-4.1$ groups dpoulson
> > > dpoulson : dpoulson ops_admins helpdesk
> > > -sh-4.1$ getent group ops_users
> > > ops_users:*:50130:dpoulson,anotheruser,andanother,etc
> >
> > Is ops_users an IPA group that dpoulsen is a member of (or maybe some AD
> > trust group or a local UNIX group)?
> >
> 
> An IPA group, no AD or other funkiness in this set up yet. 
> 
> > > -sh-4.1$ groups dpoulson
> > > dpoulson : dpoulson ops_admins helpdesk ops_users
> > > -sh-4.1$ groups
> > > dpoulson ops_admins helpdesk
> > >
> > > <logout/login>
> > >
> > > -sh-4.1$ groups
> > > dpoulson helpdesk ops_admins ops_users
> >
> > Taking the missing ops_users group out of the picture, this is expected,
> > memberships are set on login only.
> >
> Agreed.
> 
> > >
> > > (the user is actually meant to be a member of 6 groups)
> >
> > Can you paste ipa user-show dpoulson?
> 
> [root at freeipa1-01 ~]# ipa user-show dpoulson
>   User login: dpoulson
>   First name: Darren
>   Last name: Poulson
>   Home directory: /home/dpoulson
>   Login shell: /bin/sh
>   Email address: dpoulson at genesys.com
>   UID: 50004
>   GID: 50004
>   Telephone Number: 123-555-1234
>   Account disabled: False
>   Password: True
>   Member of groups: admins, ipausers, helpdesk, sbmonitor_users, ops_users, ops_admins
>   Indirect Member of role: helpdesk
>   Indirect Member of Sudo rule: sudo_admins
>   Indirect Member of HBAC rule: allow_all
>   Kerberos keys available: True
>   SSH public key fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX darren.poulson at genesys.com (ssh-rsa)

OK, if the user is a direct member of the groups and the groups are all
POSIX (=they all have a GID), then I would expect the group membership
to show all users.

Can you try setting ldap_deref_threshold=0 and re-running the test? It
would also be best if you could remove the sssd cache first.

More information about the Freeipa-users mailing list