[Freeipa-users] GID, groups and ipa group-show

Fri Jan 15 08:31:10 UTC 2016

On 15.1.2016 08:48, David Kupka wrote:
> On 14/01/16 22:09, Rob Crittenden wrote:
>> Prasun Gera wrote:
>>> This is an old thread, but I can confirm that this is still an issue on
>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>>> with groups, but group membership through GID is broken. I had migrated
>>> all old NIS accounts into ipa. I then added the host enrollment role to
>>> a particular group. Now, unless I add the users to the group explicitly,
>>> they won't get the role, even if their gid is the same as the gid of the
>>> group.
>>
>> The user GIDNumber just sets the default group for POSIX. If you do
>> groups on the user I'll bet it shows correctly.
>>
>> For the purposes of IPA access control, as you've seen, the user must
>> have a memberOf for a given group, either directly or indirectly.
>>
>> rob
>>
> 
> Exactly, but the question is, shouldn't IPA add this membership automatically?
> (Of course, only in case IPA has group with this GID.)

IMHO we should. Currently, the user effectively has different group membership
on POSIX systems and non-POSIX systems which read only member attribute. I
think that this is surprising and inconsistent.

Petr^2 Spacek

> 
> David
> 
>>> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dkupka at redhat.com
>>> <mailto:dkupka at redhat.com>> wrote:
>>>
>>>      On 21/08/15 15:21, bahan w wrote:
>>>
>>>          Hello !
>>>
>>>          I contact you because I notice something strange with IPA
>>>          environment.
>>>
>>>          I created a group :
>>>          ipa group-add g1 --desc="my first group"
>>>
>>>          Then I created a user with the GID of g1
>>>          GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
>>>          ipa user-add --first=u1 --last=u1 --homedir=/home/u1
>>>          --shell=/bin/bash
>>>          --gidnumber=${GID1} u1
>>>
>>>          Then when I perform ipa group-show g1 command, I got the
>>>          following result :
>>>          ###
>>>             Group name: g1
>>>             Description: my first group
>>>             GID: <gid1>
>>>          ###
>>>
>>>          Same for ipa user-show u1 :
>>>          ###
>>>             User login: u1
>>>             First name: u1
>>>             Last name: u1
>>>             Home directory: /home/u1
>>>             Login shell: /bin/bash
>>>             Email address: u1@<MYDOMAIN>
>>>             UID: <uid1>
>>>             GID: <gid1>
>>>             Account disabled: False
>>>             Password: False
>>>             Member of groups: ipausers
>>>             Kerberos keys available: False
>>>          ###
>>>
>>>          These 2 commands does not see u1 as a member of g1.
>>>          When I try the command id u1, I can see the group :
>>>
>>>          ###
>>>          id u1
>>>          uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
>>>          ###
>>>
>>>          Is it the normal behaviour of these IPA commands ?
>>>
>>>          Best regards.
>>>
>>>          Bahan
>>>
>>>
>>>
>>>      Hello!
>>>
>>>      I'm not sure if this is intended and/or correct behavior or not.
>>>      Looking at /etc/passwd and /etc/group I see it behaves similarly in
>>>      a way.
>>>
>>>      You can have following entries in the aforementioned files
>>>
>>>      [/etc/group]
>>>      ...
>>>      g1:x:<gid1>:
>>>      ...
>>>
>>>      [/etc/passwd]
>>>      ...
>>>      u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
>>>      ...
>>>
>>>      Looking in /etc/group you can't see user 'u1' is member of group
>>>      'g1' but tools like id, groups, getent shows this information.
>>>
>>>      On the other hand it would be useful to show these "implicit"
>>>      members in group-show output.
>>>      Could you please file a ticket
>>>      (https://fedorahosted.org/freeipa/newticket)?
>>>
>>>      --
>>>      David Kupka