[Freeipa-users] GID, groups and ipa group-show

Thu Jan 14 21:09:55 UTC 2016

Prasun Gera wrote:
> This is an old thread, but I can confirm that this is still an issue on
> RHEL 7.2 + 4.2. This creates problems when there are roles associated
> with groups, but group membership through GID is broken. I had migrated
> all old NIS accounts into ipa. I then added the host enrollment role to
> a particular group. Now, unless I add the users to the group explicitly,
> they won't get the role, even if their gid is the same as the gid of the
> group. 

The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.

For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.

rob

> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dkupka at redhat.com
> <mailto:dkupka at redhat.com>> wrote:
> 
>     On 21/08/15 15:21, bahan w wrote:
> 
>         Hello !
> 
>         I contact you because I notice something strange with IPA
>         environment.
> 
>         I created a group :
>         ipa group-add g1 --desc="my first group"
> 
>         Then I created a user with the GID of g1
>         GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
>         ipa user-add --first=u1 --last=u1 --homedir=/home/u1
>         --shell=/bin/bash
>         --gidnumber=${GID1} u1
> 
>         Then when I perform ipa group-show g1 command, I got the
>         following result :
>         ###
>            Group name: g1
>            Description: my first group
>            GID: <gid1>
>         ###
> 
>         Same for ipa user-show u1 :
>         ###
>            User login: u1
>            First name: u1
>            Last name: u1
>            Home directory: /home/u1
>            Login shell: /bin/bash
>            Email address: u1@<MYDOMAIN>
>            UID: <uid1>
>            GID: <gid1>
>            Account disabled: False
>            Password: False
>            Member of groups: ipausers
>            Kerberos keys available: False
>         ###
> 
>         These 2 commands does not see u1 as a member of g1.
>         When I try the command id u1, I can see the group :
> 
>         ###
>         id u1
>         uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
>         ###
> 
>         Is it the normal behaviour of these IPA commands ?
> 
>         Best regards.
> 
>         Bahan
> 
> 
> 
>     Hello!
> 
>     I'm not sure if this is intended and/or correct behavior or not.
>     Looking at /etc/passwd and /etc/group I see it behaves similarly in
>     a way.
> 
>     You can have following entries in the aforementioned files
> 
>     [/etc/group]
>     ...
>     g1:x:<gid1>:
>     ...
> 
>     [/etc/passwd]
>     ...
>     u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
>     ...
> 
>     Looking in /etc/group you can't see user 'u1' is member of group
>     'g1' but tools like id, groups, getent shows this information.
> 
>     On the other hand it would be useful to show these "implicit"
>     members in group-show output.
>     Could you please file a ticket
>     (https://fedorahosted.org/freeipa/newticket)?
> 
>     -- 
>     David Kupka
> 
>     -- 
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
> 
> 
> 
> 