All of the groups are posix groups, all have a gid assigned.

groupa gid: 2044
groupb gid: 2000

  dn: cn=groupa,cn=groups,cn=accounts,dc=test,dc=example
  cn: groupa
  gidnumber: 2044
  member: cn=groupb,cn=groups,cn=accounts,dc=test,dc=example

  dn: cn=groupb,cn=groups,cn=accounts,dc=test,dc=example
  cn: groupb
  gidnumber: 2000

So when I went to grab the logs for "id" it shows the proper groups as I would expect. I have literally changed nothing else. I did do an "sss_cache -E" and restart sssd yesterday so I have no idea why this is working now. I will test more and see if I can replicate the issue.

On Tue, May 19, 2020 at 9:28 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
>While I have seen similar posts to the list while digging through the
>archive, I cannot find this question specifically answered. We are coming
>from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect
>memberships to make this migration easier as we are moving from an
>organically grown OpenLDAP to a very structured FreeIPA implementation.
>What seems to be happening is that indirect memberships don't show using
>the standard Linux tools. Using either "id" or "groups" doesn't show any
>indirect memberships yet the permissions seem to still work properly. This
>is causing some confusion with our team.
>
>Group B is a member of Group A and the user is also a direct member of
>groups C and D.  When using "id" for a given user it returns B, C, D and
>not A. However I can create a file owned by user root and group A with 550
>permissions and the user can view the contents of the file. "ipa user-show"
>shows the proper memberships with A being an indirect membership.
>
>Is this the expected behavior when using indirect memberships? If so, does
>one abandon the standard CLI tool and use only ipa commands? I am fully
>aware this could be a configuration issue but I have yet to find the
>correct configuration to expose indirect membership to the standard Linux
>tools.

Can you give more concrete logs and examples? Are all of those A, B, C, D groups
are POSIX groups, e.g. they have gidNumber assigned? I don't need to see
the whole entries for them but at least enough output of

$ ipa group-show A --all --raw

that shows 'member' for a user and indirect group membership, along with
'objectclass' list and gidNumber. Same for B, C, D groups.

Please also use SSSD troubleshooting guide to generate debug logs that show
which groups the user actually belongs to during the request you did
(like 'id ..').

https://sssd.github.io/docs/users/troubleshooting.html


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland



--

Mark Potter

Senior Linux Administrator

 

 

 

DownUnder GeoSolutions

 

16200 Park Row Drive, Suite 100

Houston TX 77084, USA

tel +1 832 582 3221

markp@dug.com

www.dug.com