Re: 'id' does not show secondary groups
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: 'id' does not show secondary groups
- From: Axel Kittenberger <axel.kittenberger [at] univie.ac.at>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: 'id' does not show secondary groups
- Date: Tue, 1 Oct 2013 10:35:13 +0200
> It could be that you have to log in again because the secondary groups are only assigned on logins.
Ahh! This is what I didn't get, I fixed the uniqueName mapping yesterday, but didn't relog. Works fine today!
Thank you!
- Axel
On Tue, Oct 1, 2013 at 10:25 AM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
On Mon, 30 Sep 2013, Axel Kittenberger wrote:
--- /etc/nsswitch.conf ---passwd_compat: ldap
passwd: compat ldap
group: compat ldap
shadow: compat
Any particular reaon you are using compat? The semantics of "files ldap" are somehwat simpler. Unless you are using netgroups (lines starting with + in /etc/passwd) I would recommend against using compat if you run into trouble.
nscd is stopped.
Debian also has unscd. Are you sure that is also stopped?
The command 'id' yields:
uid=10807(axel) gid=707(csc) groups=707(csc)
and thus misses the secondary group
while nslcd debugs following:
# nslcd -dnslcd: [8b4567] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [8b4567] <passwd=10807> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixAccount)(uidNumber=10807))")nslcd: [8b4567] <passwd=10807> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [7b23c6] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")nslcd: [7b23c6] <group=707> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [3c9869] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")nslcd: [3c9869] <group=707> DEBUG: ldap_result(): end of results (1 total)
So it does net even seem to look at the secondary groups if there is a member option in there.
Indeed. However, there is a big difference between running plain "id" and "id -a username". The first examines the current process information and sees which uid, gid and auxilary groups are assigned while the second does a lookup of this information from /etc/passwd and LDAP.
So the requests you see in the debug output above are only from the first variation.
Whether the lookups are working fine can probably be best tested with the "groups" command.It could be that you have to log in again because the secondary groups are only assigned on logins.
So any idea what I'm doing wrong so nslcd looks up for secondary group memberships in normal 'id' and file permission checks?
Thanks for the detailed information, makes this easy to check.
Kind regards,
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- 'id' does not show secondary groups,
Axel Kittenberger
- Re: 'id' does not show secondary groups,
Arthur de Jong
- Re: 'id' does not show secondary groups, Axel Kittenberger
- Re: 'id' does not show secondary groups,
Arthur de Jong
- Prev by Date: Re: 'id' does not show secondary groups
- Next by Date: Revisiting Map limit to map base option
- Previous by thread: Re: 'id' does not show secondary groups
- Next by thread: Revisiting Map limit to map base option