'id' does not show secondary groups
[Date Prev][Date Next] [Thread Prev][Thread Next]'id' does not show secondary groups
- From: Axel Kittenberger <axel.kittenberger [at] univie.ac.at>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: 'id' does not show secondary groups
- Date: Mon, 30 Sep 2013 14:45:12 +0200
Dear group, I got a nslcd client on debian wheezy using a LDAP-database created with SuSE.
Almost everything works fine since a while, however I just discovered that secondary groups are not listed with 'id' and thus also not respected for permission settings.
--- This is /etc/nslcd.conf ---
uid nslcd
gid nslcd
uri ldaps://ldap.csc.univie.ac.at/
base dc=csc,dc=univie,dc=ac,dc=at
map group member uniqueMember
--- /etc/nsswitch.conf ---
passwd: compat ldap
group: compat ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files ldap
ethers: db files
rpc: db files
netgroup: nis ldap
aliases: ldap
passwd_compat: ldap
nscd is stopped.
This is the LDAP-entry of a group the user "axel" should be secondary member of
# cscguest, Group, csc.univie.ac.at
dn: cn=cscguest,ou=Group,dc=csc,dc=univie,dc=ac,dc=at
cn: cscguest
gidNumber: 708
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: top
uniqueMember: uid=axel,ou=People,dc=csc,dc=univie,dc=ac,dc=at
This is the LDAP-entry of the user axel
# axel, People, csc.univie.ac.at
dn: uid=axel,ou=People,dc=csc,dc=univie,dc=ac,dc=at
cn: Axel Kittenberger
gidNumber: 707
givenName: Axel
homeDirectory: /csc/axel
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: Kittenberger
uid: axel
uidNumber: 10807
loginShell: /bin/bash
displayName: Axel Kittenberger
userPassword:: ###
The command 'id' yields:
uid=10807(axel) gid=707(csc) groups=707(csc)
and thus misses the secondary group
while nslcd debugs following:
# nslcd -d
nslcd: DEBUG: add_uri(ldaps://ldap.csc.univie.ac.at/)
nslcd: version 0.8.10 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(107) done
nslcd: DEBUG: setuid(105) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [8b4567] <passwd=10807> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixAccount)(uidNumber=10807))")
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_initialize(ldaps://ldap.csc.univie.ac.at/)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.csc.univie.ac.at/")
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_result(): uid=axel,ou=People,dc=csc,dc=univie,dc=ac,dc=at
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [7b23c6] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: [7b23c6] <group=707> DEBUG: ldap_initialize(ldaps://ldap.csc.univie.ac.at/)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <group=707> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <group=707> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.csc.univie.ac.at/")
nslcd: [7b23c6] <group=707> DEBUG: ldap_result(): cn=csc,ou=Group,dc=csc,dc=univie,dc=ac,dc=at
nslcd: [7b23c6] <group=707> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [3c9869] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [3c9869] <group=707> DEBUG: ldap_result(): cn=csc,ou=Group,dc=csc,dc=univie,dc=ac,dc=at
nslcd: [3c9869] <group=707> DEBUG: ldap_result(): end of results (1 total)
So it does net even seem to look at the secondary groups if there is a member option in there.
However 'getent group' will list a correct membership
....
cscguest:*:708:...,axel,....
While nslcd debugs:
nslcd: [334873] DEBUG: connection from pid=26248 uid=10807 gid=707
nslcd: [334873] <group(all)> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(objectClass=posixGroup)")
nslcd: [334873] <group(all)> DEBUG: ldap_initialize(ldaps://ldap.csc.univie.ac.at/)
nslcd: [334873] <group(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [334873] <group(all)> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [334873] <group(all)> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://ldap.csc.univie.ac.at/")
nslcd: [334873] <group(all)> DEBUG: ldap_result(): cn=cscguest,ou=Group,dc=csc,dc=univie,dc=ac,dc=at
nslcd: [334873] <group(all)> DEBUG: ldap_result(): cn=csc,ou=Group,dc=csc,dc=univie,dc=ac,dc=at
nslcd: [334873] <group(all)> DEBUG: ldap_result(): end of results (5 total)
So any idea what I'm doing wrong so nslcd looks up for secondary group memberships in normal 'id' and file permission checks?
Thanks!
Kind regards,
Axel
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- 'id' does not show secondary groups, Axel Kittenberger
- Re: 'id' does not show secondary groups,
Arthur de Jong
- Re: 'id' does not show secondary groups, Axel Kittenberger
- Prev by Date: Re: Problem with nslcd
- Next by Date: Re: 'id' does not show secondary groups
- Previous by thread: Re: [PATCH] buffers in nslcd/shadow.c are too small
- Next by thread: Re: 'id' does not show secondary groups