Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Thanks, Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why? Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org -----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 02 Dec 2015, at 13:42, Ondrej Valousek ondrej.valousek@s3group.com wrote:
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why?
do you use ignore_group_members=True?
Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
No. I do not. The only help seems to be: # service sssd stop # rm -rf /var/lib/sssd/db/* # service sssd start
Pretty annoying bug, I have to say. Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, December 02, 2015 10:08 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On 02 Dec 2015, at 13:42, Ondrej Valousek ondrej.valousek@s3group.com wrote:
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why?
do you use ignore_group_members=True?
Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org -----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, Dec 03, 2015 at 08:42:56AM +0000, Ondrej Valousek wrote:
No. I do not. The only help seems to be: # service sssd stop # rm -rf /var/lib/sssd/db/* # service sssd start
If you can't resolve users with the default settings, then it's either a misconfiguration or a bug that should be fixed.
Pretty annoying bug, I have to say. Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, December 02, 2015 10:08 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On 02 Dec 2015, at 13:42, Ondrej Valousek ondrej.valousek@s3group.com wrote:
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why?
do you use ignore_group_members=True?
Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Well, if it was the misconfiguration issue, the procedure below would not help, right? So it must be a bug. Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Thursday, December 03, 2015 9:49 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Thu, Dec 03, 2015 at 08:42:56AM +0000, Ondrej Valousek wrote:
No. I do not. The only help seems to be: # service sssd stop # rm -rf /var/lib/sssd/db/* # service sssd start
If you can't resolve users with the default settings, then it's either a misconfiguration or a bug that should be fixed.
Pretty annoying bug, I have to say. Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, December 02, 2015 10:08 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On 02 Dec 2015, at 13:42, Ondrej Valousek ondrej.valousek@s3group.com wrote:
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why?
do you use ignore_group_members=True?
Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho sted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho sted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org -----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Thu, Dec 03, 2015 at 08:55:07AM +0000, Ondrej Valousek wrote:
Well, if it was the misconfiguration issue, the procedure below would not help, right?
Depends on the configuration, ie the member attribute might be misconfiured, the schema could be incorrect etc..
So it must be a bug.
If you think it's a bug, please file one in SSSD trac..
Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
No, the Kerberos principals to renew are read from the DB on startup.
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Thursday, December 03, 2015 9:49 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Thu, Dec 03, 2015 at 08:42:56AM +0000, Ondrej Valousek wrote:
No. I do not. The only help seems to be: # service sssd stop # rm -rf /var/lib/sssd/db/* # service sssd start
If you can't resolve users with the default settings, then it's either a misconfiguration or a bug that should be fixed.
Pretty annoying bug, I have to say. Question: After I do 'rm -rf /var/lib/sssd/db/*' and restart SSSD, will the daemon continue refreshing Kerberos TGTs for my users?
Thanks, Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, December 02, 2015 10:08 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On 02 Dec 2015, at 13:42, Ondrej Valousek ondrej.valousek@s3group.com wrote:
Yes! You were right - thanks for the tip! 'getent group' does not list him as a member, but 'groups' and 'id -a' commands do.
Now why?
do you use ignore_group_members=True?
Tried 'sss_cache -u U && sss_cache -g G2' but did not help.
Ondrej
-----Original Message----- From: John Hodrien [mailto:J.H.Hodrien@leeds.ac.uk] Sent: Wednesday, December 02, 2015 1:35 PM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users]Re: newgrp problem
On Wed, 2 Dec 2015, Ondrej Valousek wrote:
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member of groups G1,G2,G3. 'id -a U' shows correctly membership G1,G2,G3 Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2' prompts for password. Any other user, member of the same groups do not have a problem with 'newgrp G2'. Just this particular user.
Strace did not unveil anything useful. Does anyone hit the same problem?
Does getent group G2 show them to be a member? AFAIK newgrp/chgrp do things backwards.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho sted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho sted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
John Hodrien -
Ondrej Valousek