Re: cannot find name for group ID on all groups

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Tom Farrow <tom.farrow [at] first-utility.com>
To: Arthur de Jong <arthur [at] arthurdejong.org>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: cannot find name for group ID on all groups
Date: Fri, 9 Mar 2018 11:35:59 +0000

Hi Arthur

This is the attribute mappings we have:
filter group (objectClass=group)
filter passwd (objectClass=user)
filter shadow (objectClass=user)
map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
nss_nested_groups yes
map passwd gecos displayName
map passwd gidNumber "100"
map passwd homeDirectory "/home/$sAMAccountName"
map passwd loginShell "/bin/bash"
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
map shadow shadowLastChange pwdLastSet
map shadow uid sAMAccountName

You are right, the getend groupid fails, and the others succeed.

RUnning nslcd -d in the foreground makes login fail

tfarrow [at] usmart-jump01-dc1.prod.impello.co.uk's password:
Connection to usmart-jump01-dc1.prod.impello.co.uk closed by remote host.
Connection to usmart-jump01-dc1.prod.impello.co.uk closed.

Thank you for your support

On 5 March 2018 at 17:43, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Mon, 2018-03-05 at 16:27 +0000, Tom Farrow wrote:
> Everything is working as expected, apart from groups:
> $ groups tfarrow
> tfarrow : users groups: cannot find name for group ID 1708
> 1708 groups: cannot find name for group ID 1686
> 1686 groups: cannot find name for group ID 2894
> 2894 groups: cannot find name for group ID 1689
> 1689 groups: cannot find name for group ID 1836
> 1836 groups: cannot find name for group ID 2913
> 2913 groups: cannot find name for group ID 1376
> 1376 groups: cannot find name for group ID 1393
> 1393 groups: cannot find name for group ID 1878

It looks like the group ID to group entity lookups do not work. This
means that these probably also fail:

getent group 1708

There could be several causes for this but in general running nslcd in
debugging mode (nslcd -d) should show what it is doing and which LDAP
queries are performed.

Also, nscd can end up caching certain lookups so for debugging purposes
it is generally better to stop it or run nscd -i passwd;nscd -i group
before any tests.

> getent group shows there to be not much of a problem.

getent group GROUPNAME
getent group GROUPID
getent group

all result in different searches to be performed. It seems the second
search fails for some reason.

> Am I missing some piece of configuration? nsswitch.conf looks like
> this:
>
> passwd: compat ldap
> group: files ldap
> shadow: compat ldap
> gshadow: files ldap

Unless you use netgroups in general it is better to use files over
compat because it is a little simpler (but shouldn't cause problems in
this case unless you have entries start with + in /etc/passwd).

So debug output from nslcd may help as well as your attribute mapping
configuration in nslcd.conf.

Kind regards,

--
-- arthur - arthur [at] arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

cannot find name for group ID on all groups, Tom Farrow
- Re: cannot find name for group ID on all groups, Tom Farrow
  - Re: cannot find name for group ID on all groups, Arthur de Jong
    - Re: cannot find name for group ID on all groups, Tom Farrow

Prev by Date: Re: cannot find name for group ID on all groups
Next by Date: Re: cannot find name for group ID on all groups
Previous by thread: Re: cannot find name for group ID on all groups
Next by thread: Re: cannot find name for group ID on all groups