[Freeipa-users] GID, groups and ipa group-show
David Kupka
dkupka at redhat.com
Fri Jan 15 07:48:19 UTC 2016
On 14/01/16 22:09, Rob Crittenden wrote:
> Prasun Gera wrote:
>> This is an old thread, but I can confirm that this is still an issue on
>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>> with groups, but group membership through GID is broken. I had migrated
>> all old NIS accounts into ipa. I then added the host enrollment role to
>> a particular group. Now, unless I add the users to the group explicitly,
>> they won't get the role, even if their gid is the same as the gid of the
>> group.
>
> The user GIDNumber just sets the default group for POSIX. If you do
> groups on the user I'll bet it shows correctly.
>
> For the purposes of IPA access control, as you've seen, the user must
> have a memberOf for a given group, either directly or indirectly.
>
> rob
>
Exactly, but the question is, shouldn't IPA add this membership
automatically? (Of course, only in case IPA has group with this GID.)
David
>> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dkupka at redhat.com
>> <mailto:dkupka at redhat.com>> wrote:
>>
>> On 21/08/15 15:21, bahan w wrote:
>>
>> Hello !
>>
>> I contact you because I notice something strange with IPA
>> environment.
>>
>> I created a group :
>> ipa group-add g1 --desc="my first group"
>>
>> Then I created a user with the GID of g1
>> GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
>> ipa user-add --first=u1 --last=u1 --homedir=/home/u1
>> --shell=/bin/bash
>> --gidnumber=${GID1} u1
>>
>> Then when I perform ipa group-show g1 command, I got the
>> following result :
>> ###
>> Group name: g1
>> Description: my first group
>> GID: <gid1>
>> ###
>>
>> Same for ipa user-show u1 :
>> ###
>> User login: u1
>> First name: u1
>> Last name: u1
>> Home directory: /home/u1
>> Login shell: /bin/bash
>> Email address: u1@<MYDOMAIN>
>> UID: <uid1>
>> GID: <gid1>
>> Account disabled: False
>> Password: False
>> Member of groups: ipausers
>> Kerberos keys available: False
>> ###
>>
>> These 2 commands does not see u1 as a member of g1.
>> When I try the command id u1, I can see the group :
>>
>> ###
>> id u1
>> uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
>> ###
>>
>> Is it the normal behaviour of these IPA commands ?
>>
>> Best regards.
>>
>> Bahan
>>
>>
>>
>> Hello!
>>
>> I'm not sure if this is intended and/or correct behavior or not.
>> Looking at /etc/passwd and /etc/group I see it behaves similarly in
>> a way.
>>
>> You can have following entries in the aforementioned files
>>
>> [/etc/group]
>> ...
>> g1:x:<gid1>:
>> ...
>>
>> [/etc/passwd]
>> ...
>> u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
>> ...
>>
>> Looking in /etc/group you can't see user 'u1' is member of group
>> 'g1' but tools like id, groups, getent shows this information.
>>
>> On the other hand it would be useful to show these "implicit"
>> members in group-show output.
>> Could you please file a ticket
>> (https://fedorahosted.org/freeipa/newticket)?
>>
>> --
>> David Kupka
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
--
David Kupka
More information about the Freeipa-users
mailing list