Hi Sumit,
I have run those commands and both show the same amount of memberOf
attributes. At first, with a nested group there were 143 so for a test with
fewer groups, I removed the nested group but the result is the same. With
20 groups, and sssd cache destructively cleared and sssd restarted, the
groups reach the ipa command and the ldapsearch fine but not id/groups
commands.
Alfred
On Wed, Jun 17, 2020 at 1:39 AM Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, Jun 16, 2020 at 05:12:09PM -0500, Alfred Victor via
FreeIPA-users
wrote:
> I should note the problem exists on latest CentOS7 with fully up to date
> rpms on both client/server.
>
> Alfred
>
> On Tue, Jun 16, 2020 at 3:02 PM Alfred Victor <alvic266(a)gmail.com>
wrote:
>
> > Hi all,
> >
> > We have built a FreeIPA system and used ipa migrate-ds to migrate and
are
> > testing the environment however we have a stubbornly persistent issue
with
> > gid array from posix commands or when dealing with filesystem
ownerships.
> > When I create a user in IPA, then add some groups, the issue is
immediately
> > present. In this case these first two below are missing a group
("testers"):
> >
> > [alvic@HOD28 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest)
> > groups=464200021(ipatest),464200000(admins)
> >
> > And another:
> >
> > [alvic@NODE-1-1 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest)
> > groups=464200021(ipatest),464200000(admins)
> >
> >
> > More commonly, this is the case where only primary gid is returned, and
> > both groups are missing:
> >
> >
> > [alvic@NODE-1-2 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest) groups=464200021(ipatest)
> >
> >
> >
> > The client systems were each provisioned like so, and we have also
tested
> > and found this issue on a totally up to date new CentOS 7 system:
> >
> >
> > ipa-client-install -U -q -p [redacted] --domain=redacted.com --server=
> >
ipa.redacted.com --fixed-primary --force-join
> >
> >
> >
> > We have also attempted a full update of the IPA server via yum update
and
> > restarted it but the issue is incredibly common. We have also enabled
sssd
> > debuglevel 7 and I noted the following line:
> >
> >
> >
> > (Tue Jun 16 10:01:09 2020) [sssd[be[redacted.com]]] [sdap_save_user]
> > (0x0400): Original memberOf is not available for [ipatest(a)redacted.com
].
> >
> >
> > Worth noting that groups display fine for a user, without fail, only if
> > using "ipa user-show"
Hi,
there might be a permission issue when reading the memberOf attribute.
Can you first check if memberOf attributes are shown if you call:
ipa user-show --all --raw ipatest
The next step is the check ldapsearch
kdestroy -A
kinit -k
ldapsearch -Y GSSAPI -b
'uid=ipatest,cn=users,cn=accounts,dc=your,dc=ipa,dc=domain'
You can copy the DN ('uid=ipatest,cn=...) from the first line of the
'ipa user-show' output. Please check if ldapsearch returns the same
memberOf attributes as 'ipa user-show'
bye,
Sumit
> >
> >
> >
> > Alfred
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...