Re: 'id' does not show secondary groups
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: 'id' does not show secondary groups
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Axel Kittenberger <axel.kittenberger [at] univie.ac.at>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: 'id' does not show secondary groups
- Date: Tue, 1 Oct 2013 10:25:38 +0200 (CEST)
On Mon, 30 Sep 2013, Axel Kittenberger wrote:
--- /etc/nsswitch.conf ---
passwd: compat ldap
group: compat ldap
shadow: compat
passwd_compat: ldap
Any particular reaon you are using compat? The semantics of "files ldap"
are somehwat simpler. Unless you are using netgroups (lines starting with
+ in /etc/passwd) I would recommend against using compat if you run into
trouble.
nscd is stopped.
Debian also has unscd. Are you sure that is also stopped?
The command 'id' yields:
uid=10807(axel) gid=707(csc) groups=707(csc)
and thus misses the secondary group
while nslcd debugs following:
# nslcd -d
nslcd: [8b4567] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [8b4567] <passwd=10807> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at",
filter="(&(objectClass=posixAccount)(uidNumber=10807))")
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [7b23c6] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at",
filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: [7b23c6] <group=707> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [3c9869] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at",
filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: [3c9869] <group=707> DEBUG: ldap_result(): end of results (1 total)
So it does net even seem to look at the secondary groups if there is a
member option in there.
Indeed. However, there is a big difference between running plain "id" and
"id -a username". The first examines the current process information and
sees which uid, gid and auxilary groups are assigned while the second does
a lookup of this information from /etc/passwd and LDAP.
So the requests you see in the debug output above are only from the first
variation.
Whether the lookups are working fine can probably be best tested with the
"groups" command.
So any idea what I'm doing wrong so nslcd looks up for secondary group
memberships in normal 'id' and file permission checks?
It could be that you have to log in again because the secondary groups are
only assigned on logins.
Thanks for the detailed information, makes this easy to check.
Kind regards,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/