[Freeipa-users] GID, groups and ipa group-show

Fri Jan 15 07:48:19 UTC 2016

On 14/01/16 22:09, Rob Crittenden wrote:
> Prasun Gera wrote:
>> This is an old thread, but I can confirm that this is still an issue on
>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>> with groups, but group membership through GID is broken. I had migrated
>> all old NIS accounts into ipa. I then added the host enrollment role to
>> a particular group. Now, unless I add the users to the group explicitly,
>> they won't get the role, even if their gid is the same as the gid of the
>> group.
>
> The user GIDNumber just sets the default group for POSIX. If you do
> groups on the user I'll bet it shows correctly.
>
> For the purposes of IPA access control, as you've seen, the user must
> have a memberOf for a given group, either directly or indirectly.
>
> rob
>

Exactly, but the question is, shouldn't IPA add this membership 
automatically? (Of course, only in case IPA has group with this GID.)

David

>> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dkupka at redhat.com
>> <mailto:dkupka at redhat.com>> wrote:
>>
>>      On 21/08/15 15:21, bahan w wrote:
>>
>>          Hello !
>>
>>          I contact you because I notice something strange with IPA
>>          environment.
>>
>>          I created a group :
>>          ipa group-add g1 --desc="my first group"
>>
>>          Then I created a user with the GID of g1
>>          GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
>>          ipa user-add --first=u1 --last=u1 --homedir=/home/u1
>>          --shell=/bin/bash
>>          --gidnumber=${GID1} u1
>>
>>          Then when I perform ipa group-show g1 command, I got the
>>          following result :
>>          ###
>>             Group name: g1
>>             Description: my first group
>>             GID: <gid1>
>>          ###
>>
>>          Same for ipa user-show u1 :
>>          ###
>>             User login: u1
>>             First name: u1
>>             Last name: u1
>>             Home directory: /home/u1
>>             Login shell: /bin/bash
>>             Email address: u1@<MYDOMAIN>
>>             UID: <uid1>
>>             GID: <gid1>
>>             Account disabled: False
>>             Password: False
>>             Member of groups: ipausers
>>             Kerberos keys available: False
>>          ###
>>
>>          These 2 commands does not see u1 as a member of g1.
>>          When I try the command id u1, I can see the group :
>>
>>          ###
>>          id u1
>>          uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
>>          ###
>>
>>          Is it the normal behaviour of these IPA commands ?
>>
>>          Best regards.
>>
>>          Bahan
>>
>>
>>
>>      Hello!
>>
>>      I'm not sure if this is intended and/or correct behavior or not.
>>      Looking at /etc/passwd and /etc/group I see it behaves similarly in
>>      a way.
>>
>>      You can have following entries in the aforementioned files
>>
>>      [/etc/group]
>>      ...
>>      g1:x:<gid1>:
>>      ...
>>
>>      [/etc/passwd]
>>      ...
>>      u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
>>      ...
>>
>>      Looking in /etc/group you can't see user 'u1' is member of group
>>      'g1' but tools like id, groups, getent shows this information.
>>
>>      On the other hand it would be useful to show these "implicit"
>>      members in group-show output.
>>      Could you please file a ticket
>>      (https://fedorahosted.org/freeipa/newticket)?
>>
>>      --
>>      David Kupka
>>
>>      --
>>      Manage your subscription for the Freeipa-users mailing list:
>>      https://www.redhat.com/mailman/listinfo/freeipa-users
>>      Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>

-- 
David Kupka