Hi All,
i have granted a bunch of users to a list of servers but except one server all the user are able to touch the files once they login to 3out of 4 servers , in one server alone am able to switch to user but not able to touch any files getting message as permission denied
Regards Kanna
Kannappan M via FreeIPA-users wrote:
Hi All,
i have granted a bunch of users to a list of servers but except one server all the user are able to touch the files once they login to 3out of 4 servers , in one server alone am able to switch to user but not able to touch any files getting message as permission denied
To restate:
- you created an HBAC rule that allows a set of users to log into a set of 4 hosts and that works ok - on one of the 4 hosts one user is not allowed to create files
We can eliminate HBAC as a problem since it allowed login access. It doesn't control who can write files on a host.
It sounds like a groups problem. I'd suggest looking at what files/directories are not writable and see what the permissions are. I wonder if one user is not in the group which owns the directory.
You can use getent groups <user> to see what groups they are in. It should be the same on all hosts and it should match what ipa user-show <user> shows for group memberships.
That's where I'd start anyway. Next step would be to increase debugging on the SSSD side to see whether all the groups that the user should be in are being resolved properly.
rob
Hi Rob,
i think i didnt make myself clear itseems
server list
10.1.2.3 10.1.2.4 10.1.2.5 10.1.2.6
users list sam kim alias moore
In the above users and servers list all the users are able to access all the 2.3,2.4 and 2.5 but non of the users are able to touch any files or folders in 10.1.2.6 but after login to 10.1.2.6 when i give the id sam or id kim or id alias or id moore all the ids are reflecting but non of the users not able to touch the files or folders
Regards Kanna
Kannappan M via FreeIPA-users wrote:
Hi Rob,
i think i didnt make myself clear itseems
server list
10.1.2.3 10.1.2.4 10.1.2.5 10.1.2.6
users list sam kim alias moore
In the above users and servers list all the users are able to access all the 2.3,2.4 and 2.5 but non of the users are able to touch any files or folders in 10.1.2.6 but after login to 10.1.2.6 when i give the id sam or id kim or id alias or id moore all the ids are reflecting but non of the users not able to touch the files or folders
Permissions are managed by UID/GID and group membership. So see what the mode of the files/directories are and compare that to the UID/GID and groups of the user on *that* machine. It could be that groups aren't being resolved properly, for example.
Or it's an NFS mount that didn't mount properly. Or many other things. This still lacks a fair bit of detail.
rob
freeipa-users@lists.fedorahosted.org