# id skovylov uid=15001(skovylov) gid=15000(mcc-rhm) группы=15000(mcc-rhm),31000(GRP-SVC-SSH-IFRONT1),30000(GRP-SVC-SSH-IFRONT),30004(GRP-SVC-SSH-XFRONT),30006(GRP-SVC-SUDO-NODE),30001(GRP-SVC-SSH-NODE),31021(GRP-SVC-SSH-XPBS2),30005(GRP-SVC-SSH-XTECH),30007(GRP-SVC-SUDO-XPBS),30003(GRP-SVC-FTP-IMDS),30002(GRP-SVC-SSH-IMDS)
2010/11/12 Stephen Gallagher sgallagh@redhat.com:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/12/2010 09:37 AM, Sergei V. Kovylov wrote:
What command are you using to check this? Can you tell me if getent group GRP-SVC-SSH-NODE1 shows the users from GRP-SVC-SSH-NODE?
What about: id <user from GRP-SVC-SSH-NODE> Does that show the user as a member of both groups?
I'm using getnet passwd and getent group to define if groups and users come to sssd from LDAP. # getent group GRP-SVC-SSH-NODE01 GRP-SVC-SSH-NODE01:*:31002:
# getent group GRP-SVC-SSH-NODE GRP-SVC-SSH-NODE:*:30001:skovylov,azvarich
please also include the output of id skovylov and/or id azvarich
I want to see if initgroups is also misbehaving, or if it's only getgrnam
#ldbsearch -H /var/lib/sss/db/cache_MD.METEORF.RU.ldb # record 36 dn: name=GRP-SVC-SSH-INODE01,cn=groups,cn=DOMAIN,cn=sysdb createTimestamp: 1289569193 gidNumber: 31002 name: GRP-SVC-SSH-INODE01 objectClass: group originalDN: cn=GRP-SVC-SSH-INODE01,ou=SVC-SSH,ou=GROUP-ACCESS,ou=COMPUTE,dc=<skipped> originalModifyTimestamp: 20101012084647Z lastUpdate: 1289569193 dataExpireTimestamp: 1289574593 distinguishedName: name=GRP-SVC-SSH-INODE01,cn=groups,cn=DOMAIN,cn=sysdb
If possible, please also turn debug_level up to 6 and include the debug log in /var/log/sssd/sssd_<domain>.log for those two commands.
(Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [sdap_save_group] (7): Adding original DN [cn=GRP-SVC-SSH-NODE,ou=GROUP-ACC ESS,ou=COMPUTE,dc=<skipped>] to attributes of [GRP-SVC-SSH-NODE]. (Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [sdap_save_group] (6): Storing info for group GRP-SVC-SSH-NODE (Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x5e5e60
(Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): tevent: Added timed event "ltdb_timeout": 0x5e5f10
(Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): tevent: Destroying timer event 0x5e5f10 "ltdb_timeout"
(Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): tevent: Ending timer event 0x5e5e60 "ltdb_callback"
(Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [sysdb_search_group_by_name] (6): Error: 2 (No such file or directory) (Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): start ldb transaction (nesting: 1) (Fri Nov 12 14:25:42 2010) [sssd[be[MD.METEORF.RU]]] [ldb] (9): tevent: Added timed event "ltdb_callback": 0x634930
Also I have noticed, that if remove member GRP-SVC-SSH-NODE from GRP-SVC-SSH-NODE1, wait some time and then return membership back - then users become a member of GRP-SVC-SSH-NODE1 untill reinstalling sssd package. It seems like sssd ignore entries that are not created yet. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzdVUQACgkQeiVVYja6o6ORhACfVHwVwpDjrxWRQD620dqVnYpP VzEAnjfzrktPuxeZRNJUAxj29e8aUHNk =aPCa -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel