On ti, 19 touko 2020, Mark Potter via FreeIPA-users wrote:
>While I have seen similar posts to the list while digging through the
>archive, I cannot find this question specifically answered. We are coming
>from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect
>memberships to make this migration easier as we are moving from an
>organically grown OpenLDAP to a very structured FreeIPA implementation.
>What seems to be happening is that indirect memberships don't show using
>the standard Linux tools. Using either "id" or "groups" doesn't show any
>indirect memberships yet the permissions seem to still work properly. This
>is causing some confusion with our team.
>
>Group B is a member of Group A and the user is also a direct member of
>groups C and D. When using "id" for a given user it returns B, C, D and
>not A. However I can create a file owned by user root and group A with 550
>permissions and the user can view the contents of the file. "ipa user-show"
>shows the proper memberships with A being an indirect membership.
>
>Is this the expected behavior when using indirect memberships? If so, does
>one abandon the standard CLI tool and use only ipa commands? I am fully
>aware this could be a configuration issue but I have yet to find the
>correct configuration to expose indirect membership to the standard Linux
>tools.
Can you give more concrete logs and examples? Are all of those A, B, C, D groups
are POSIX groups, e.g. they have gidNumber assigned? I don't need to see
the whole entries for them but at least enough output of
$ ipa group-show A --all --raw
that shows 'member' for a user and indirect group membership, along with
'objectclass' list and gidNumber. Same for B, C, D groups.
Please also use SSSD troubleshooting guide to generate debug logs that show
which groups the user actually belongs to during the request you did
(like 'id ..').
https://sssd.github.io/docs/users/troubleshooting.html
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Mark Potter
Senior Linux Administrator
DownUnder GeoSolutions
16200 Park Row Drive, Suite 100
Houston TX 77084, USA
tel +1 832 582 3221