6:07 p.m.
Got my authentication working and I populated my directory with users and groups and
assigned group memberships accordingly. I wasn't getting this issue originally, but
now I'm suddenly getting the "cannot find name for group ID 10000" when I
log in to my test server.
The group with GID 10000 is a POSIX enabled group I created called "users" that
all user accounts are a member of. My user account is a member of a handful of other
POSIX enabled groups. Another of these groups is called "admins" and has a GID
of 10001. There's also "serveradmins" (GID -> 500) and
"devserveraccess" (GID -> 501). If I issue an "id", it shows all
of these groups, but doesn't show the names of GID 10000 and GID 10001, eg
$ id
uid=1069(markj) gid=10000
groups=10000,2(daemon),500(serveradmins),501(devserveraccess),10001
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
However, if I do a "getent group" I can see all of these groups and their
members, eg
serveradmins:*:500:markj,user4
devserveraccess:*:501:markj,user1,user4
users:*:10000:user1,user2,markj,user4
admins:*:10001:admin,markj
I have a suspicion as to what might be at play here. Keep in mind that I've set up
the new directory using all the same info (usernames, groups, UIDs, GIDs etc) from the
existing 389 DS directory. Just looking through this, I see we have a user with a UID of
10000, and another with a UID of 10001. We don't have any with UID of 500 or 501. If
I look at the full "getent group" output, it shows the above groups I've
already mentioned but also lists all the users, including the two with ID 10000 and 10001.
I'm suspecting this is causing some kind of conflict. If I change my user
account's GID to 100 (the normal built-in local 'users' group), I can log in
without getting this error. The only issue with this is we've been running on this
old 389 directory since well before I joined the company so there are many years worth of
home directories and user files with the group owner of '10000' which is now not
going to show a group name. Not sure if this is going to cause any issues dow
n the line, probably only an aesthetics thing.
1:21 a.m.
Am Thu, Nov 04, 2021 at 11:07:25PM -0000 schrieb Mark Johnson via FreeIPA-users:
Got my authentication working and I populated my directory with
users
and groups and assigned group memberships accordingly. I wasn't
getting this issue originally, but now I'm suddenly getting the
"cannot find name for group ID 10000" when I log in to my test server.
The group with GID 10000 is a POSIX enabled group I created called
"users" that all user accounts are a member of. My user account is a
member of a handful of other POSIX enabled groups. Another of these
groups is called "admins" and has a GID of 10001. There's also
"serveradmins" (GID -> 500) and "devserveraccess" (GID -> 501).
If I
issue an "id", it shows all of these groups, but doesn't show the
names of GID 10000 and GID 10001, eg
$ id
uid=1069(markj) gid=10000
groups=10000,2(daemon),500(serveradmins),501(devserveraccess),10001
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
However, if I do a "getent group" I can see all of these groups and their
members, eg
serveradmins:*:500:markj,user4
devserveraccess:*:501:markj,user1,user4
users:*:10000:user1,user2,markj,user4
admins:*:10001:admin,markj
I have a suspicion as to what might be at play here. Keep in mind
that I've set up the new directory using all the same info (usernames,
groups, UIDs, GIDs etc) from the existing 389 DS directory. Just
looking through this, I see we have a user with a UID of 10000, and
another with a UID of 10001. We don't have any with UID of 500 or
501. If I look at the full "getent group" output, it shows the above
groups I've already mentioned but also lists all the users, including
the two with ID 10000 and 10001. I'm suspecting this is causing some
kind of conflict. If I change my user account's GID to 100 (the
normal built-in local 'users' group), I can log in without getting
this error. The only issue with this is we've been running on this
old 389 directory since well before I joined the company so there are
many years worth of home directories and user files with the group
owner of '10000' which is now not going to show a group name. Not
sure if this is going to cause any issues down the line, probably only
an aesthetics thing.
Hi,
can you try if adding
auto_private_groups = false
in the [domain/...] section helps?
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
6:03 p.m.
New subject: cannot find name for group ID x when logging in
Thanks Sumit, that seems to have sorted it out. I had to stop the service, delete the
sssd database and then start the service for this to work.
From other tests prior to this, I noticed if I changed the UID for the users with id 10000
and 10001 this also got rid of the error and allowed the group names to be seen via
'id' and in file permissions. I guess the initial mistake here is having users
with the same ID as posix groups in 389. I think I'll probably end up permanently
changing these two UIDs anyway as it seems like it should never have been configured that
way in the first place, but good to know about the auto_private_groups setting.
Thanks,
Mark
908
days inactive
912
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Mark Johnson -
Sumit Bose