On Mon, Jun 12, 2017 at 12:20:24PM +0000, Ondrej Valousek wrote:
Hi,
For some users I experience inconsistent group membership, i.e. "getent group
G" does not list user U as a member, but "id -a U" command shows the group
G.
Is that normal or a known issue?
This can be normal, depending on the group nesting. "getent group" only
processes the group members down to a certain nesting level (see
ldap_group_nesting_level). This is because normally the getent group
output is not used by anything authoritative and at the same time,
processing all group members can be quite expensive.
On the other hand, the result of initgroups (id -G) is used to establish
the list of the supplementary groups the user is a member of, so it's
crucial it's correct and contains all the groups.
So the first thing I would try is to check how deep is the member in the
hierarchy starting from the group you are resolving by getent group. If
it's two or more levels, try increasing the nesting limit. Otherwise, I
would say it would be a bug..