Curious if anyone else has seen this in release 6. Login accounts via sssd from an Active Directory server.
"deej" is an AD account, not defined locally.
Defined a test group in /etc/group as:
deejtest:x:730:deej
$ getent group deejtest
deejtest:x:730:deej
$ whoami
deej
(output sanitized)
$ groups
adgroup1 adgroup2 adgroup3 adgroup4
$ id deej
uid=xxxx(deej) gid=3411(adgroup1) groups=3411(adgroup1),730(deejtest),7xx(adgroup2),7xx(adgroup3),7xx(adgroup4),7xx(adgroup5),7xx(adgroup6),7xx(adgroup7),7xx(adgroup8)
Why do only 4 groups show up in "groups", and none of the other AD groups or locally defined groups?
Likely related, file group permissions aren't working either, whether it be a locallly mounted filesystem or NFS:
Examples:
drwxrwx--- 2 root deejtest 4096 Jul 21 15:34 test2
$ cd test2
-bash: cd: test2: Permission denied
drwxrwsr-x 2 root deejtest 4096 Jul 21 15:03 junk2
$ cd junk2
$ touch junk.file
touch: cannot touch `junk.file': Permission denied
Curious.
-Dj
"groups" and "id" disagree...
Re: "groups" and "id" disagree...
This morning I turn the machine on, login, and now "groups" and "id" match, and the file permissions are working. I've made no changes since it was not working yesterday, other than shutting down the machine before I left the office.
I'm glad it is working, but, I won't be happy until I can figure out why...
Thoughts?
-Dj
I'm glad it is working, but, I won't be happy until I can figure out why...
Thoughts?
-Dj
Re: "groups" and "id" disagree...
I think I have a tentative explanation. If I create a new group in /etc/group, the current login session will not pick up the new group info. Logging in with another session will show the new info in both "groups" and "id". The difference I was seeing yesterday might be related to restarting and clearing the sssd cache while I was troubleshooting, and apparently "id" will pick up on this, but "groups" will not.
That's the best I can come up with at present.
-Dj
That's the best I can come up with at present.
-Dj
"groups" and "id" disagree...
Hi!
AFAIK, it's normal that when you change the group membership of a user it will take a logoff/logon to take the canges properly.
Regards.
AFAIK, it's normal that when you change the group membership of a user it will take a logoff/logon to take the canges properly.
Regards.
Re: "groups" and "id" disagree...
[quote]
skolnick wrote:
AFAIK, it's normal that when you change the group membership of a user it will take a logoff/logon to take the canges properly..[/quote]
Yes, I consider that normal behaviour as well, but that wasn't what I was referring to in my previous posts. What was throwing me off was the difference in the output between the two commands. I would think that they should show the SAME info, and both not pick up the new group info until a logoff/login cycle had been done.
What is disconcerting is that I think I did reboot the machine yesterday during my testing, which obviously would involve a logoff/login, but a day later I can't be 100% sure of that. I am pretty confident that I did login and logout several times, though.
The issue was not picking up new group info, but rather that they were showing different output from the SAME group info that had been there all along, both in /etc/group and from AD.
At this point all I can do is keep an eye on it, but it does lose a bit of confidence in moving from 5 to 6 at this point.
-Dj
skolnick wrote:
AFAIK, it's normal that when you change the group membership of a user it will take a logoff/logon to take the canges properly..[/quote]
Yes, I consider that normal behaviour as well, but that wasn't what I was referring to in my previous posts. What was throwing me off was the difference in the output between the two commands. I would think that they should show the SAME info, and both not pick up the new group info until a logoff/login cycle had been done.
What is disconcerting is that I think I did reboot the machine yesterday during my testing, which obviously would involve a logoff/login, but a day later I can't be 100% sure of that. I am pretty confident that I did login and logout several times, though.
The issue was not picking up new group info, but rather that they were showing different output from the SAME group info that had been there all along, both in /etc/group and from AD.
At this point all I can do is keep an eye on it, but it does lose a bit of confidence in moving from 5 to 6 at this point.
-Dj
Re: "groups" and "id" disagree...
[quote]deej wrote:
What was throwing me off was the difference in the output between the two commands. I would think that they should show the SAME info, and both not pick up the new group info until a logoff/login cycle had been done.[/quote]
I think that the difference is logical.
"groups" shows the groups that the [i]current session[/i] is member of. You can use "newgrp" to [i]join[/i] more groups.
"id" queries the databases for what groups have been configured for an account. Different source for data.
What was throwing me off was the difference in the output between the two commands. I would think that they should show the SAME info, and both not pick up the new group info until a logoff/login cycle had been done.[/quote]
I think that the difference is logical.
"groups" shows the groups that the [i]current session[/i] is member of. You can use "newgrp" to [i]join[/i] more groups.
"id" queries the databases for what groups have been configured for an account. Different source for data.