Am Thu, Nov 04, 2021 at 11:07:25PM -0000 schrieb Mark Johnson via FreeIPA-users:
Got my authentication working and I populated my directory with
users
and groups and assigned group memberships accordingly. I wasn't
getting this issue originally, but now I'm suddenly getting the
"cannot find name for group ID 10000" when I log in to my test server.
The group with GID 10000 is a POSIX enabled group I created called
"users" that all user accounts are a member of. My user account is a
member of a handful of other POSIX enabled groups. Another of these
groups is called "admins" and has a GID of 10001. There's also
"serveradmins" (GID -> 500) and "devserveraccess" (GID -> 501).
If I
issue an "id", it shows all of these groups, but doesn't show the
names of GID 10000 and GID 10001, eg
$ id
uid=1069(markj) gid=10000
groups=10000,2(daemon),500(serveradmins),501(devserveraccess),10001
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
However, if I do a "getent group" I can see all of these groups and their
members, eg
serveradmins:*:500:markj,user4
devserveraccess:*:501:markj,user1,user4
users:*:10000:user1,user2,markj,user4
admins:*:10001:admin,markj
I have a suspicion as to what might be at play here. Keep in mind
that I've set up the new directory using all the same info (usernames,
groups, UIDs, GIDs etc) from the existing 389 DS directory. Just
looking through this, I see we have a user with a UID of 10000, and
another with a UID of 10001. We don't have any with UID of 500 or
501. If I look at the full "getent group" output, it shows the above
groups I've already mentioned but also lists all the users, including
the two with ID 10000 and 10001. I'm suspecting this is causing some
kind of conflict. If I change my user account's GID to 100 (the
normal built-in local 'users' group), I can log in without getting
this error. The only issue with this is we've been running on this
old 389 directory since well before I joined the company so there are
many years worth of home directories and user files with the group
owner of '10000' which is now not going to show a group name. Not
sure if this is going to cause any issues down the line, probably only
an aesthetics thing.
Hi,
can you try if adding
auto_private_groups = false
in the [domain/...] section helps?
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure