[Freeipa-users] GID, groups and ipa group-show
Petr Spacek
pspacek at redhat.com
Fri Jan 15 08:31:10 UTC 2016
On 15.1.2016 08:48, David Kupka wrote:
> On 14/01/16 22:09, Rob Crittenden wrote:
>> Prasun Gera wrote:
>>> This is an old thread, but I can confirm that this is still an issue on
>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>>> with groups, but group membership through GID is broken. I had migrated
>>> all old NIS accounts into ipa. I then added the host enrollment role to
>>> a particular group. Now, unless I add the users to the group explicitly,
>>> they won't get the role, even if their gid is the same as the gid of the
>>> group.
>>
>> The user GIDNumber just sets the default group for POSIX. If you do
>> groups on the user I'll bet it shows correctly.
>>
>> For the purposes of IPA access control, as you've seen, the user must
>> have a memberOf for a given group, either directly or indirectly.
>>
>> rob
>>
>
> Exactly, but the question is, shouldn't IPA add this membership automatically?
> (Of course, only in case IPA has group with this GID.)
IMHO we should. Currently, the user effectively has different group membership
on POSIX systems and non-POSIX systems which read only member attribute. I
think that this is surprising and inconsistent.
Petr^2 Spacek
>
> David
>
>>> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dkupka at redhat.com
>>> <mailto:dkupka at redhat.com>> wrote:
>>>
>>> On 21/08/15 15:21, bahan w wrote:
>>>
>>> Hello !
>>>
>>> I contact you because I notice something strange with IPA
>>> environment.
>>>
>>> I created a group :
>>> ipa group-add g1 --desc="my first group"
>>>
>>> Then I created a user with the GID of g1
>>> GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
>>> ipa user-add --first=u1 --last=u1 --homedir=/home/u1
>>> --shell=/bin/bash
>>> --gidnumber=${GID1} u1
>>>
>>> Then when I perform ipa group-show g1 command, I got the
>>> following result :
>>> ###
>>> Group name: g1
>>> Description: my first group
>>> GID: <gid1>
>>> ###
>>>
>>> Same for ipa user-show u1 :
>>> ###
>>> User login: u1
>>> First name: u1
>>> Last name: u1
>>> Home directory: /home/u1
>>> Login shell: /bin/bash
>>> Email address: u1@<MYDOMAIN>
>>> UID: <uid1>
>>> GID: <gid1>
>>> Account disabled: False
>>> Password: False
>>> Member of groups: ipausers
>>> Kerberos keys available: False
>>> ###
>>>
>>> These 2 commands does not see u1 as a member of g1.
>>> When I try the command id u1, I can see the group :
>>>
>>> ###
>>> id u1
>>> uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
>>> ###
>>>
>>> Is it the normal behaviour of these IPA commands ?
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>>
>>> Hello!
>>>
>>> I'm not sure if this is intended and/or correct behavior or not.
>>> Looking at /etc/passwd and /etc/group I see it behaves similarly in
>>> a way.
>>>
>>> You can have following entries in the aforementioned files
>>>
>>> [/etc/group]
>>> ...
>>> g1:x:<gid1>:
>>> ...
>>>
>>> [/etc/passwd]
>>> ...
>>> u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
>>> ...
>>>
>>> Looking in /etc/group you can't see user 'u1' is member of group
>>> 'g1' but tools like id, groups, getent shows this information.
>>>
>>> On the other hand it would be useful to show these "implicit"
>>> members in group-show output.
>>> Could you please file a ticket
>>> (https://fedorahosted.org/freeipa/newticket)?
>>>
>>> --
>>> David Kupka
More information about the Freeipa-users
mailing list