RSS feed

Re: ldap-authorised group membership limit stuck at 8

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: ldap-authorised group membership limit stuck at 8

A gid conflict was one of the first things I looked for - no dice.  I even tried remaking the group with a different gid number.

Also, removing a user from a prior added group will cause their membership in the newer one to start behaving.

On a possibly related (but as likely not) note, my admin user account is being listed by 'groups' as being a member of a recently created usergroup, although they're not placed there by ldap or /etc/group and doesn't appear as such in getent - yet I can do file operations as if I belonged to it.

(...ten minutes later...)

In the process of gathering all the following info, I'd been restarting nslcd several times.  On a whim, logging out and back into the server resulted in groups appearing properly for me.  It didn't change anything for my other users, but restarting nscd did.  I'm not sure if it will stay fixed but at least the source has been narrowed down.

libc packages (dpkg -l):

ii  libc-bin                        2.12.1-0ubuntu10.1                Embedded GNU C Library: Binaries
ii  libc6                           2.12.1-0ubuntu10.1                Embedded GNU C Library: Shared libraries


ii  libnss-ldapd                    0.7.6                             NSS module for using LDAP as a naming service

nscd is installed and running.

Running nslcd in debug mode (including trying it with -d specified twice), I'm not seeing any debug output other than what looks like normal calls to nscd (i.e: this for my not-logged-in-at-the-time non-admin user)

testnslcd: [7b23c6] DEBUG: connection from pid=17850 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(jamie)
nslcd: [7b23c6] DEBUG: myldap_search(base="dc=tempe,dc=grindwork,dc=com", filter="(&(objectClass=posixAccount)(uid=jamie))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results

It prints no additional output when invoking group-related functions (chgrp, id, etc.)


# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

On Tue, Feb 8, 2011 at 11:28 AM, Arthur de Jong <arthur [at]> wrote:
On Mon, 2011-02-07 at 20:12 -0700, J. L. Brewer wrote:
> We can only add a user to 8 groups before things start breaking down
> (this includes groups not in ldap such as the one for sudoers).
> Trying to add a user to a 9th group results in them appearing in
> getent and in database queries as normal, but the user does not appear
> to be in the group when they invoke the 'id' command, and they can't
> use file permissions of that group.

I cannot reproduce this at the moment. In my test environment I've just
added a user to 18 groups and everything still works fine. Both
 id user
 groups user
return the correct information. When I log in (using su) and run
I also get the expected information.

Can you provide some more information? Contents of /etc/nsswitch.conf,
any output nslcd -d gives with the groups command, would help as well as
versions of libc, nss-pam-ldapd and whether nscd is running. Also, do
all of the above tests provide the expected information?

The call to get the groups that a user belongs in is different from the
normal getent calls so that could explain the difference. Note that the
groups need to have a different numeric id, otherwise they will not
appear different.

-- arthur - arthur [at] - --

To unsubscribe send an email to or see