group member denied access to directory - sssd-users - Fedora mailing-lists

20 Nov 2020


      Hi,
I was hoping someone on this list might be able to help.
I'm getting permission denied when trying to access a directory owned by root, but with group that I'm a member of.
I'm getting:  -bash: cd: testdir: Permission denied
I have the following scenario:
Running CentOS Linux release 7.6.1810 and sssd 1.16.5
I have a mount set up /data/testdir
As root, I chown/chmod testdir:
   Chown root:testgrpa testdir
   Chmod 770 testdir
When I log in as user1, I currently can't cd into /data/testdir
It gives:
-bash: cd: testdir: Permission denied
user1 is a member of testgrpa:
OUTPUT of id user1:
    uid=129371342(user1) gid=129371342(user1) groups=129371342(user1) ,29042750285(group1),1435459822(group2),3456349245(group3),......,239705249(testgrpa)
OUTPUT of getent group testgrpa:
     testgrpa:*: 239705249:user1,user2,user2,user4,.....,user50
CONTENTS OF Sssd.conf:
[sssd]
config_file_version = 2
services = nss,pam
domains = dept.domain.com
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/dept.domai.com]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_use_tokengroups = false
enumerate = false
cache_credentials = True
case_sensitive = false
ignore_group_members = false
auto_private_groups = true
ldap_schema = ad
ldap_uri = ldaps://ldapsserver.dept.domain.com:636
ldap_user_search_base = dc=ad,dc=dept,dc=domain,dc=com
ldap_group_search_base = OU=Security Groups,OU=Groups,dc=ad,dc=dept,dc=domain,dc=com?sub?(|(cn=domain users)(cn=testgrpa))
ldap_referrals = False
ldap_group_nesting_level = 3
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/sssd
ldap_use_tokengroups = True
ldap_id_mapping = True
override_homedir = /mnt/exports/shared/home/%u
fallback_homedir = /shared/home/%u
default_shell = /bin/bash
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = (|(memberOf=cn=testgrpa,OU=Security Groups,OU=Groups,DC=ad,DC=dept,DC=domain,DC=com))
ldap_default_bind_dn = <service account>
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = <authtok>
Thanks,
Paul T
________________________________
UCLA HEALTH SCIENCES IMPORTANT WARNING: This email (and any attachments) is only intended for the use of the person or entity to which it is addressed, and may contain information that is privileged and confidential. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Unauthorized redisclosure or failure to maintain confidentiality may subject you to federal and state penalties. If you are not the intended recipient, please immediately notify us by return email, and delete this message from your computer.