Hi Spike,
Thanks for the response and insight. Sorry for the delay in replying. Yeah it’s an NFS
mount and yeah a lot of members belong to more than 16 AD groups ( our AD has been around
for a long time and it’s a decent sized enterprise )
I found this while doing some googling. I’m going to give it a shot to see if it fixes
the problem. I’ll update this group once I test... will probably be next week b/c of the
holiday.
https://www.xkyle.com/solving-the-nfs-16-group-limit-problem/
Thanks,
Paul
Sent from my iPhone
On Nov 22, 2020, at 10:22 AM, Spike White <spikewhitetx(a)gmail.com> wrote:
CAUTION - EXTERNAL EMAIL:Do not click links or open attachments unless you recognize the
sender.
Is this a NFS mount point? If so, maybe you're hitting the "16 supplemental
group" NFS inherent bug.
Spike
On Fri, Nov 20, 2020 at 2:21 PM Tung, Paul
<PTung@mednet.ucla.edu<mailto:PTung@mednet.ucla.edu>> wrote:
Hi,
I was hoping someone on this list might be able to help.
I’m getting permission denied when trying to access a directory owned by root, but with
group that I’m a member of.
I’m getting: -bash: cd: testdir: Permission denied
I have the following scenario:
Running CentOS Linux release 7.6.1810 and sssd 1.16.5
I have a mount set up /data/testdir
As root, I chown/chmod testdir:
Chown root:testgrpa testdir
Chmod 770 testdir
When I log in as user1, I currently can’t cd into /data/testdir
It gives:
-bash: cd: testdir: Permission denied
user1 is a member of testgrpa:
OUTPUT of id user1:
uid=129371342(user1) gid=129371342(user1) groups=129371342(user1)
,29042750285(group1),1435459822(group2),3456349245(group3),……,239705249(testgrpa)
OUTPUT of getent group testgrpa:
testgrpa:*: 239705249:user1,user2,user2,user4,…..,user50
CONTENTS OF Sssd.conf:
[sssd]
config_file_version = 2
services = nss,pam
domains =
dept.domain.com<https://urldefense.com/v3/__http://dept.domain.com__;!...
[nss]
filter_users = root
filter_groups = root
[pam]
[
domain/dept.domai.com<https://urldefense.com/v3/__http://dept.domai.co...]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_use_tokengroups = false
enumerate = false
cache_credentials = True
case_sensitive = false
ignore_group_members = false
auto_private_groups = true
ldap_schema = ad
ldap_uri =
ldaps://ldapsserver.dept.domain.com:636<https://urldefense.com/v3/__ht...
ldap_user_search_base = dc=ad,dc=dept,dc=domain,dc=com
ldap_group_search_base = OU=Security
Groups,OU=Groups,dc=ad,dc=dept,dc=domain,dc=com?sub?(|(cn=domain users)(cn=testgrpa))
ldap_referrals = False
ldap_group_nesting_level = 3
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/sssd
ldap_use_tokengroups = True
ldap_id_mapping = True
override_homedir = /mnt/exports/shared/home/%u
fallback_homedir = /shared/home/%u
default_shell = /bin/bash
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = (|(memberOf=cn=testgrpa,OU=Security
Groups,OU=Groups,DC=ad,DC=dept,DC=domain,DC=com))
ldap_default_bind_dn = <service account>
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = <authtok>
Thanks,
Paul T
________________________________
UCLA HEALTH SCIENCES IMPORTANT WARNING: This email (and any attachments) is only intended
for the use of the person or entity to which it is addressed, and may contain information
that is privileged and confidential. You, the recipient, are obligated to maintain it in a
safe, secure and confidential manner. Unauthorized redisclosure or failure to maintain
confidentiality may subject you to federal and state penalties. If you are not the
intended recipient, please immediately notify us by return email, and delete this message
from your computer.
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://...
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://urldefe...
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/...
[docs[.]fedoraproject[.]org]
List Guidelines:
https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_g...
[fedoraproject[.]org]
List Archives:
https://urldefense.com/v3/__https://lists.fedorahosted.org/archives/list/...
[lists[.]fedorahosted[.]org]