"getent group -s sss" behaves differently on centos 7 vs centos 8. Why? - FreeIPA-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

"getent group -s sss" behaves differently on centos 7 vs centos 8. Why?

gssproxy kerberos cache with no...

Odd hostgroup behavior

Russell Jones

Thursday, 27 January 2022 Thu, 27 Jan '22

4:06 p.m.

Hi all, I am very confused on why I am not able to enumerate the group members on a centos 8 machine with the above command, but I can on a centos 7 machine. [root@centos8-1 log]# getent group -s sss video video:x:39: [root@centos7-n11 log]# getent group -s sss video video:*:39:<lots of users> Both are configured with the same sssd.conf file, and both have "enumerate = True" in the domain section. In addition, if I just do "getent group" without the "-s sss" the group and all of its members show up properly on both machines. Super confused here. Thanks in advance for the help!

Attachments:

attachment.html (text/html — 755 bytes)

Reply

Show replies by date

Sumit Bose

Monday, 7 February Mon, 7 Feb

3:13 a.m.

New subject: "getent group -s sss" behaves differently on centos 7 vs centos 8. Why?

Am Thu, Jan 27, 2022 at 04:06:19PM -0600 schrieb Russell Jones via FreeIPA-users:

Hi all, I am very confused on why I am not able to enumerate the group members on a centos 8 machine with the above command, but I can on a centos 7 machine. [root@centos8-1 log]# getent group -s sss video video:x:39: [root@centos7-n11 log]# getent group -s sss video video:*:39:<lots of users> Both are configured with the same sssd.conf file, and both have "enumerate = True" in the domain section. In addition, if I just do "getent group" without the "-s sss" the group and all of its members show up properly on both machines. Super confused here. Thanks in advance for the help!

Hi, can you try if setting enable_files_domain = false in the [sssd] section in sssd.conf on centos 8 helps? bye, Sumit

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Reply

Russell Jones

9:38 a.m.

New subject: "getent group -s sss" behaves differently on centos 7 vs centos 8. Why?

Thanks! I did end up finding that configuration. Setting it to false did fix the issue. To be honest, I don't really understand the point of that configuration option. On Mon, Feb 7, 2022 at 3:13 AM Sumit Bose via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote:

Am Thu, Jan 27, 2022 at 04:06:19PM -0600 schrieb Russell Jones via FreeIPA-users: > Hi all, > > I am very confused on why I am not able to enumerate the group members on a > centos 8 machine with the above command, but I can on a centos 7 machine. > > [root@centos8-1 log]# getent group -s sss video > video:x:39: > > [root@centos7-n11 log]# getent group -s sss video > video:*:39:<lots of users> > > Both are configured with the same sssd.conf file, and both have "enumerate > = True" in the domain section. > > In addition, if I just do "getent group" without the "-s sss" the group and > all of its members show up properly on both machines. > > Super confused here. Thanks in advance for the help! Hi, can you try if setting enable_files_domain = false in the [sssd] section in sssd.conf on centos 8 helps? bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Reply

Sumit Bose

12:19 p.m.

New subject: "getent group -s sss" behaves differently on centos 7 vs centos 8. Why?

Am Mon, Feb 07, 2022 at 09:38:04AM -0600 schrieb Russell Jones:

Thanks! I did end up finding that configuration. Setting it to false did fix the issue. To be honest, I don't really understand the point of that configuration option.

Hi, in RHEL-8 SSSD will handle user and groups from /etc/passwd and /etc/group by default as well. Unfortunately there is an issue is groups and members are coming from different domains as in your case (local group, remote users). As a result SSSD can still resolve the local group but not add the corresponding remote members. 'enable_files_domain = false' will switch off the handling of the local files in SSSD and let glibc and the nss modules collect the group members. HTH bye, Sumit

On Mon, Feb 7, 2022 at 3:13 AM Sumit Bose via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote: > Am Thu, Jan 27, 2022 at 04:06:19PM -0600 schrieb Russell Jones via > FreeIPA-users: > > Hi all, > > > > I am very confused on why I am not able to enumerate the group members > on a > > centos 8 machine with the above command, but I can on a centos 7 machine. > > > > [root@centos8-1 log]# getent group -s sss video > > video:x:39: > > > > [root@centos7-n11 log]# getent group -s sss video > > video:*:39:<lots of users> > > > > Both are configured with the same sssd.conf file, and both have > "enumerate > > = True" in the domain section. > > > > In addition, if I just do "getent group" without the "-s sss" the group > and > > all of its members show up properly on both machines. > > > > Super confused here. Thanks in advance for the help! > > Hi, > > can you try if setting > > enable_files_domain = false > > in the [sssd] section in sssd.conf on centos 8 helps? > > bye, > Sumit > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >

Reply

807

days inactive

818

days old

freeipa-users@lists.fedorahosted.org

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

Russell Jones
Sumit Bose