Hi,
For some users I experience inconsistent group membership, i.e. "getent group G" does not list user U as a member, but "id -a U" command shows the group G. Is that normal or a known issue? Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Mon, Jun 12, 2017 at 12:20:24PM +0000, Ondrej Valousek wrote:
Hi,
For some users I experience inconsistent group membership, i.e. "getent group G" does not list user U as a member, but "id -a U" command shows the group G. Is that normal or a known issue?
This can be normal, depending on the group nesting. "getent group" only processes the group members down to a certain nesting level (see ldap_group_nesting_level). This is because normally the getent group output is not used by anything authoritative and at the same time, processing all group members can be quite expensive.
On the other hand, the result of initgroups (id -G) is used to establish the list of the supplementary groups the user is a member of, so it's crucial it's correct and contains all the groups.
So the first thing I would try is to check how deep is the member in the hierarchy starting from the group you are resolving by getent group. If it's two or more levels, try increasing the nesting limit. Otherwise, I would say it would be a bug..
Thanks,
We talk about a single nesting level so it is likely a bug. The true is that 'id -a' always shows a correct information so this is more like a nuisance rather than a bug affecting production. Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens.
Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Monday, June 12, 2017 3:16 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Inconsistent group membership
On Mon, Jun 12, 2017 at 12:20:24PM +0000, Ondrej Valousek wrote:
Hi,
For some users I experience inconsistent group membership, i.e. "getent
group G" does not list user U as a member, but "id -a U" command shows the group G.
Is that normal or a known issue?
This can be normal, depending on the group nesting. "getent group" only processes the group members down to a certain nesting level (see ldap_group_nesting_level). This is because normally the getent group output is not used by anything authoritative and at the same time, processing all group members can be quite expensive.
On the other hand, the result of initgroups (id -G) is used to establish the list of the supplementary groups the user is a member of, so it's crucial it's correct and contains all the groups.
So the first thing I would try is to check how deep is the member in the hierarchy starting from the group you are resolving by getent group. If it's two or more levels, try increasing the nesting limit. Otherwise, I would say it would be a bug.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 12 June 2017 at 23:23, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Thanks,
We talk about a single nesting level so it is likely a bug. The true is that 'id -a' always shows a correct information so this is more like a nuisance rather than a bug affecting production. Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens.
Ondrej,
Can I ask which version of sssd you are running?
cheers L.
------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
Hello, I am running sssd-1.13.3-22.el6_8.4.x86_64
Cheers, Ondrej
From: Lachlan Musicman [mailto:datakid@gmail.com] Sent: Tuesday, June 13, 2017 1:15 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Inconsistent group membership
On 12 June 2017 at 23:23, Ondrej Valousek <Ondrej.Valousek@s3group.commailto:Ondrej.Valousek@s3group.com> wrote: Thanks,
We talk about a single nesting level so it is likely a bug. The true is that 'id -a' always shows a correct information so this is more like a nuisance rather than a bug affecting production. Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens.
Ondrej, Can I ask which version of sssd you are running? cheers L.
------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, Black Lives Matter founder
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Ondrej,
If you have a dev server or something you can test using the latest sssd
https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/
I feel like we were seeing a similar issue and it was fixed in either the 1.13/1.14 or 1.14/1.15 transition.
Cheers L.
------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
On 13 June 2017 at 15:14, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Hello,
I am running
sssd-1.13.3-22.el6_8.4.x86_64
Cheers,
Ondrej
*From:* Lachlan Musicman [mailto:datakid@gmail.com] *Sent:* Tuesday, June 13, 2017 1:15 AM *To:* End-user discussions about the System Security Services Daemon < sssd-users@lists.fedorahosted.org> *Subject:* [SSSD-users] Re: Inconsistent group membership
On 12 June 2017 at 23:23, Ondrej Valousek Ondrej.Valousek@s3group.com wrote:
Thanks,
We talk about a single nesting level so it is likely a bug. The true is that 'id -a' always shows a correct information so this is more like a nuisance rather than a bug affecting production. Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens.
Ondrej,
Can I ask which version of sssd you are running?
cheers
L.
"Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams."
- Patrisse Cullors, *Black Lives Matter founder*
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org