On Wed, Dec 04, 2013 at 09:24:58AM +0000, greg.lehm...@csiro.au wrote: > > > -----Original Message----- > > From: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel- > > boun...@lists.fedorahosted.org] On Behalf Of steve > > Sent: Wednesday, 4 December 2013 6:20 PM > > To: sssd-devel@lists.fedorahosted.org > > Subject: Re: [SSSD] problem with AD nested group expansion, maybe? > > > > On Wed, 2013-12-04 at 00:55 +0000, greg.lehm...@csiro.au wrote: > > > It was defined in the first message. Same machine. All I am doing is > > stopping sssd clearing cache dbs, restarting and doing some getents on > > passwd and group entries. > > > > > > > -----Original Message----- > > > > From: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd-devel- > > > > boun...@lists.fedorahosted.org] On Behalf Of Dmitri Pal > > > > Sent: Wednesday, 4 December 2013 10:04 AM > > > > To: sssd-devel@lists.fedorahosted.org > > > > Subject: Re: [SSSD] problem with AD nested group expansion, maybe? > > > > > > > > On 12/03/2013 06:38 PM, greg.lehm...@csiro.au wrote: > > > > > I'm using the standard SLES OS 1.9.4 packages. I may get time, > > but > > > > it's unlikely, to build newer versions. > > > > > > > > > > The nesting is shallow: > > > > > > > > > > Group1 contains group2, group3 group4, user1, user2, user3 > > > > > Group2 contains user4, user5, user6 > > > > > Group3 contains user7, user8, user9 > > > > > Group4 contains user10,user11,user12 > > > > > > > > > > So what is happening is that sometimes, getent group1 is > > returning > > > > just user1,user2,user3 and other times it returns all 12 users. > > > > Greg, > > > > > > > > Please define "sometimes"? > > > > Same machine or different machines? I mean does it work from some > > > > machines and does not from others or on the same machine you run at > > > > different times and you get different results? > > > > What is the state of the machine in terms of cache? Was it cleaned > > in > > > > between attempts? > > > > Is the system online or offline when you observe the issue? > > > > > > > > Since it is AD and AD requires multiple round-trips to get nested > > > > groups > > > > I might be that in your case the follow up lookups for some reason > > do > > > > not always go through. > > > > > > > > Jakub, may be it times out and SSSD thinks that there are no sub > > > > groups? > > > > > > > > > > > > > > Cheers, > > > > > > > > > > Greg > > > > > > > > > >> -----Original Message----- > > > > >> From: sssd-devel-boun...@lists.fedorahosted.org [mailto:sssd- > > devel- > > > > >> boun...@lists.fedorahosted.org] On Behalf Of Jakub Hrozek > > > > >> Sent: Tuesday, 3 December 2013 7:24 PM > > > > >> To: sssd-devel@lists.fedorahosted.org > > > > >> Subject: Re: [SSSD] problem with AD nested group expansion, > > maybe? > > > > >> > > > > >> On Tue, Dec 03, 2013 at 07:19:50AM +0000, greg.lehm...@csiro.au > > > > wrote: > > > > >>> I've noticed under 1.9.4 that starting with an empty cache, > > doing a > > > > >> getent group does not return all members of the group, > > sometimes. > > > > >>> The actual group in AD contains some users and some subgroups > > of > > > > >> users. Not nested deeply, but multiple subgroups... > > > > >>> If I do a > > > > >>> getent group group1 > > > > >>> > > > > >>> when the cache is fresh it does not return all members. If I do > > a > > > > >> getent passwd on one of my accounts as a member of group1 and > > then > > > > >> follow that with a getent group group1 it will return all the > > > > members > > > > >> of the group. If I getent passwd account2 (also a member of > > group1) > > > > it > > > > >> does not help getent group return all members. > > > > >>> Any ideas? > > > > >>> > > > > Hi > > We have similar (nothing deep) nesting and had similar issues on > > openSUSE with 1.9.5. It seems to be fixed on 1.11.x. It's a real pain > > to > > build and install but you could do us all a big favour by putting > > pressure on SUSE to get up to date with sssd by informing them of your > > problems with the existing version and success with a 1.11 version. > > They'll listen more to an sles user than us! > > > > On a side note, I'm surprised that it _sometimes_ works. Are you sure > > you don't have nscd active? > > > > Sorry this is not exactly what you want to hear but I predict that if > > you can find the time for the build, it would resolve the nesting. > > Cheers, > > Steve > > > > > > _______________________________________________ > > sssd-devel mailing list > > sssd-devel@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > Tell you what: You get RHEL to include it and I'll push SUSE about SLES. I > mean 6.5 just came out and they did not increase the version by even a minor > step over 6.4! There may be more chance of a change with SLES 12 although it > is likely based on opensuse and as you say that has not gotten there yet.
btw if you have RHEL6.5 handy, can you check if you see the same issue there? _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
