[Freeipa-users] Group membership not populated
Jakub Hrozek
jhrozek at redhat.com
Fri Nov 14 15:14:14 UTC 2014
On Fri, Nov 14, 2014 at 03:07:29PM +0000, Darren Poulson wrote:
> > From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Jakub Hrozek [jhrozek at redhat.com]
> > Sent: 14 November 2014 14:56
> > To: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Group membership not populated
> >
> > On Fri, Nov 14, 2014 at 12:10:59PM +0000, Darren Poulson wrote:
> > > Hi,
> > >
> > > I'm currently having an issue where if I log in as a user on a freshly rebooted machine, their group membership > is not populated, so things like sudo do not work properly. If I do a getent group <group>, log out and log back in > again, then it works properly.
> > >
> > > for example
> > >
> > > -sh-4.1$ groups dpoulson
> > > dpoulson : dpoulson ops_admins helpdesk
> > > -sh-4.1$ getent group ops_users
> > > ops_users:*:50130:dpoulson,anotheruser,andanother,etc
> >
> > Is ops_users an IPA group that dpoulsen is a member of (or maybe some AD
> > trust group or a local UNIX group)?
> >
>
> An IPA group, no AD or other funkiness in this set up yet.
>
> > > -sh-4.1$ groups dpoulson
> > > dpoulson : dpoulson ops_admins helpdesk ops_users
> > > -sh-4.1$ groups
> > > dpoulson ops_admins helpdesk
> > >
> > > <logout/login>
> > >
> > > -sh-4.1$ groups
> > > dpoulson helpdesk ops_admins ops_users
> >
> > Taking the missing ops_users group out of the picture, this is expected,
> > memberships are set on login only.
> >
> Agreed.
>
> > >
> > > (the user is actually meant to be a member of 6 groups)
> >
> > Can you paste ipa user-show dpoulson?
>
> [root at freeipa1-01 ~]# ipa user-show dpoulson
> User login: dpoulson
> First name: Darren
> Last name: Poulson
> Home directory: /home/dpoulson
> Login shell: /bin/sh
> Email address: dpoulson at genesys.com
> UID: 50004
> GID: 50004
> Telephone Number: 123-555-1234
> Account disabled: False
> Password: True
> Member of groups: admins, ipausers, helpdesk, sbmonitor_users, ops_users, ops_admins
> Indirect Member of role: helpdesk
> Indirect Member of Sudo rule: sudo_admins
> Indirect Member of HBAC rule: allow_all
> Kerberos keys available: True
> SSH public key fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX darren.poulson at genesys.com (ssh-rsa)
OK, if the user is a direct member of the groups and the groups are all
POSIX (=they all have a GID), then I would expect the group membership
to show all users.
Can you try setting ldap_deref_threshold=0 and re-running the test? It
would also be best if you could remove the sssd cache first.
More information about the Freeipa-users
mailing list