On Tue, Jun 16, 2020 at 05:12:09PM -0500, Alfred Victor via FreeIPA-users wrote:
> I should note the problem exists on latest CentOS7 with fully up to date
> rpms on both client/server.
>
> Alfred
>
> On Tue, Jun 16, 2020 at 3:02 PM Alfred Victor <[email protected]> wrote:
>
> > Hi all,
> >
> > We have built a FreeIPA system and used ipa migrate-ds to migrate and are
> > testing the environment however we have a stubbornly persistent issue with
> > gid array from posix commands or when dealing with filesystem ownerships.
> > When I create a user in IPA, then add some groups, the issue is immediately
> > present. In this case these first two below are missing a group ("testers"):
> >
> > [alvic@HOD28 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest)
> > groups=464200021(ipatest),464200000(admins)
> >
> > And another:
> >
> > [alvic@NODE-1-1 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest)
> > groups=464200021(ipatest),464200000(admins)
> >
> >
> > More commonly, this is the case where only primary gid is returned, and
> > both groups are missing:
> >
> >
> > [alvic@NODE-1-2 ~]$ id ipatest
> >
> > uid=464200021(ipatest) gid=464200021(ipatest) groups=464200021(ipatest)
> >
> >
> >
> > The client systems were each provisioned like so, and we have also tested
> > and found this issue on a totally up to date new CentOS 7 system:
> >
> >
> > ipa-client-install -U -q -p [redacted] --domain=redacted.com --server=
> > ipa.redacted.com --fixed-primary --force-join
> >
> >
> >
> > We have also attempted a full update of the IPA server via yum update and
> > restarted it but the issue is incredibly common. We have also enabled sssd
> > debuglevel 7 and I noted the following line:
> >
> >
> >
> > (Tue Jun 16 10:01:09 2020) [sssd[be[redacted.com]]] [sdap_save_user]
> > (0x0400): Original memberOf is not available for [[email protected]].
> >
> >
> > Worth noting that groups display fine for a user, without fail, only if
> > using "ipa user-show"
Hi,
there might be a permission issue when reading the memberOf attribute.
Can you first check if memberOf attributes are shown if you call:
ipa user-show --all --raw ipatest
The next step is the check ldapsearch
kdestroy -A
kinit -k
ldapsearch -Y GSSAPI -b
'uid=ipatest,cn=users,cn=accounts,dc=your,dc=ipa,dc=domain'
You can copy the DN ('uid=ipatest,cn=...) from the first line of the
'ipa user-show' output. Please check if ldapsearch returns the same
memberOf attributes as 'ipa user-show'
bye,
Sumit
> >
> >
> >
> > Alfred
> >
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
