I should note the problem exists on latest CentOS7 with fully up to date
rpms on both client/server.
Alfred
On Tue, Jun 16, 2020 at 3:02 PM Alfred Victor <alvic266(a)gmail.com> wrote:
Hi all,
We have built a FreeIPA system and used ipa migrate-ds to migrate and are
testing the environment however we have a stubbornly persistent issue with
gid array from posix commands or when dealing with filesystem ownerships.
When I create a user in IPA, then add some groups, the issue is immediately
present. In this case these first two below are missing a group ("testers"):
[alvic@HOD28 ~]$ id ipatest
uid=464200021(ipatest) gid=464200021(ipatest)
groups=464200021(ipatest),464200000(admins)
And another:
[alvic@NODE-1-1 ~]$ id ipatest
uid=464200021(ipatest) gid=464200021(ipatest)
groups=464200021(ipatest),464200000(admins)
More commonly, this is the case where only primary gid is returned, and
both groups are missing:
[alvic@NODE-1-2 ~]$ id ipatest
uid=464200021(ipatest) gid=464200021(ipatest) groups=464200021(ipatest)
The client systems were each provisioned like so, and we have also tested
and found this issue on a totally up to date new CentOS 7 system:
ipa-client-install -U -q -p [redacted] --domain=redacted.com --server=
ipa.redacted.com --fixed-primary --force-join
We have also attempted a full update of the IPA server via yum update and
restarted it but the issue is incredibly common. We have also enabled sssd
debuglevel 7 and I noted the following line:
(Tue Jun 16 10:01:09 2020) [sssd[be[redacted.com]]] [sdap_save_user]
(0x0400): Original memberOf is not available for [ipatest(a)redacted.com].
Worth noting that groups display fine for a user, without fail, only if
using "ipa user-show"
Alfred