On Fri, Nov 14, 2014 at 03:07:29PM +0000, Darren Poulson wrote: > > From: [email protected] [[email protected]] > > on behalf of Jakub Hrozek [[email protected]] > > Sent: 14 November 2014 14:56 > > To: [email protected] > > Subject: Re: [Freeipa-users] Group membership not populated > > > > On Fri, Nov 14, 2014 at 12:10:59PM +0000, Darren Poulson wrote: > > > Hi, > > > > > > I'm currently having an issue where if I log in as a user on a freshly > > > rebooted machine, their group membership > is not populated, so things > > > like sudo do not work properly. If I do a getent group <group>, log out > > > and log back in > again, then it works properly. > > > > > > for example > > > > > > -sh-4.1$ groups dpoulson > > > dpoulson : dpoulson ops_admins helpdesk > > > -sh-4.1$ getent group ops_users > > > ops_users:*:50130:dpoulson,anotheruser,andanother,etc > > > > Is ops_users an IPA group that dpoulsen is a member of (or maybe some AD > > trust group or a local UNIX group)? > > > > An IPA group, no AD or other funkiness in this set up yet. > > > > -sh-4.1$ groups dpoulson > > > dpoulson : dpoulson ops_admins helpdesk ops_users > > > -sh-4.1$ groups > > > dpoulson ops_admins helpdesk > > > > > > <logout/login> > > > > > > -sh-4.1$ groups > > > dpoulson helpdesk ops_admins ops_users > > > > Taking the missing ops_users group out of the picture, this is expected, > > memberships are set on login only. > > > Agreed. > > > > > > > (the user is actually meant to be a member of 6 groups) > > > > Can you paste ipa user-show dpoulson? > > [root@freeipa1-01 ~]# ipa user-show dpoulson > User login: dpoulson > First name: Darren > Last name: Poulson > Home directory: /home/dpoulson > Login shell: /bin/sh > Email address: [email protected] > UID: 50004 > GID: 50004 > Telephone Number: 123-555-1234 > Account disabled: False > Password: True > Member of groups: admins, ipausers, helpdesk, sbmonitor_users, ops_users, > ops_admins > Indirect Member of role: helpdesk > Indirect Member of Sudo rule: sudo_admins > Indirect Member of HBAC rule: allow_all > Kerberos keys available: True > SSH public key fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX > [email protected] (ssh-rsa)
OK, if the user is a direct member of the groups and the groups are all POSIX (=they all have a GID), then I would expect the group membership to show all users. Can you try setting ldap_deref_threshold=0 and re-running the test? It would also be best if you could remove the sssd cache first. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
