RSS feed

Re: ldap-authorised group membership limit stuck at 8

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: ldap-authorised group membership limit stuck at 8

On Tue, 2011-02-08 at 14:27 -0700, J. L. Brewer wrote:
> On a possibly related (but as likely not) note, my admin user account
> is being listed by 'groups' as being a member of a recently created
> usergroup, although they're not placed there by ldap or /etc/group and
> doesn't appear as such in getent - yet I can do file operations as if
> I belonged to it.

Note that groups without arguments shows the groups of the current
process and does not look up group information. As such your groups will
only change if you re-login. If you moved gids around a bit you could
end up with a weird group list for your logged-in user.

> It didn't change anything for my other users, but restarting nscd did.
> I'm not sure if it will stay fixed but at least the source has been
> narrowed down.

nscd is known to cause problems and you should definitely disable it
while debugging. nscd may cache positive as well as negative lookups
showing weird behaviour. Also, many people have reported various
problems with nscd and if you really need caching you could consider
unscd instead.

> It prints no additional output when invoking group-related functions
> (chgrp, id, etc.)

When nscd is running this is normal.
> nsswitch.conf:
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap

Any particular reason you're using compat instead of files? I've run in
to some slight differences between compat and files in some cases. I've
just tested with compat instead of files and my test user is still in
all 18 groups.

-- arthur - - --

To unsubscribe send an email to or see