lists.arthurdejong.org
RSS feed

Re: 'id' does not show secondary groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: 'id' does not show secondary groups



> It could be that you have to log in again because the secondary groups are only assigned on logins.

Ahh! This is what I didn't get, I fixed the uniqueName mapping yesterday, but didn't relog. Works fine today!

Thank you!
- Axel


On Tue, Oct 1, 2013 at 10:25 AM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
On Mon, 30 Sep 2013, Axel Kittenberger wrote:
--- /etc/nsswitch.conf ---
passwd:         compat ldap
group:          compat ldap
shadow:         compat
passwd_compat:  ldap

Any particular reaon you are using compat? The semantics of "files ldap" are somehwat simpler. Unless you are using netgroups (lines starting with + in /etc/passwd) I would recommend against using compat if you run into trouble.

nscd is stopped.

Debian also has unscd. Are you sure that is also stopped?

The command 'id' yields:
uid=10807(axel) gid=707(csc) groups=707(csc)
and thus misses the secondary group

while nslcd debugs following:

# nslcd -d
nslcd: [8b4567] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [8b4567] <passwd=10807> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixAccount)(uidNumber=10807))")
nslcd: [8b4567] <passwd=10807> DEBUG: ldap_result(): end of results (1 total)
nslcd: [7b23c6] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [7b23c6] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: [7b23c6] <group=707> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=26245 uid=10807 gid=707
nslcd: [3c9869] <group=707> DEBUG: myldap_search(base="dc=csc,dc=univie,dc=ac,dc=at", filter="(&(objectClass=posixGroup)(gidNumber=707))")
nslcd: [3c9869] <group=707> DEBUG: ldap_result(): end of results (1 total)

So it does net even seem to look at the secondary groups if there is a member option in there.

Indeed. However, there is a big difference between running plain "id" and "id -a username". The first examines the current process information and sees which uid, gid and auxilary groups are assigned while the second does a lookup of this information from /etc/passwd and LDAP.

So the requests you see in the debug output above are only from the first variation.

Whether the lookups are working fine can probably be best tested with the "groups" command.


So any idea what I'm doing wrong so nslcd looks up for secondary group memberships in normal 'id' and file permission checks?

It could be that you have to log in again because the secondary groups are only assigned on logins.

Thanks for the detailed information, makes this easy to check.

Kind regards,

--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/