Thanks,
We talk about a single nesting level so it is likely a bug.
The true is that 'id -a' always shows a correct information so this is more like a
nuisance rather than a bug affecting production.
Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens.
Ondrej
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sent: Monday, June 12, 2017 3:16 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: Inconsistent group membership
On Mon, Jun 12, 2017 at 12:20:24PM +0000, Ondrej Valousek wrote:
> Hi,
>
> For some users I experience inconsistent group membership, i.e. "getent
group G" does not list user U as a member, but "id -a U" command shows
the
group G.
> Is that normal or a known issue?
This can be normal, depending on the group nesting. "getent group" only
processes the group members down to a certain nesting level (see
ldap_group_nesting_level). This is because normally the getent group output
is not used by anything authoritative and at the same time, processing all
group members can be quite expensive.
On the other hand, the result of initgroups (id -G) is used to establish the list
of the supplementary groups the user is a member of, so it's crucial it's
correct
and contains all the groups.
So the first thing I would try is to check how deep is the member in the
hierarchy starting from the group you are resolving by getent group. If it's two
or more levels, try increasing the nesting limit. Otherwise, I would say it would
be a bug..
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe
send an email to sssd-users-leave(a)lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.