Hi Sumit, I have run those commands and both show the same amount of memberOf attributes. At first, with a nested group there were 143 so for a test with fewer groups, I removed the nested group but the result is the same. With 20 groups, and sssd cache destructively cleared and sssd restarted, the groups reach the ipa command and the ldapsearch fine but not id/groups commands.
Alfred On Wed, Jun 17, 2020 at 1:39 AM Sumit Bose <[email protected]> wrote: > On Tue, Jun 16, 2020 at 05:12:09PM -0500, Alfred Victor via FreeIPA-users > wrote: > > I should note the problem exists on latest CentOS7 with fully up to date > > rpms on both client/server. > > > > Alfred > > > > On Tue, Jun 16, 2020 at 3:02 PM Alfred Victor <[email protected]> > wrote: > > > > > Hi all, > > > > > > We have built a FreeIPA system and used ipa migrate-ds to migrate and > are > > > testing the environment however we have a stubbornly persistent issue > with > > > gid array from posix commands or when dealing with filesystem > ownerships. > > > When I create a user in IPA, then add some groups, the issue is > immediately > > > present. In this case these first two below are missing a group > ("testers"): > > > > > > [alvic@HOD28 ~]$ id ipatest > > > > > > uid=464200021(ipatest) gid=464200021(ipatest) > > > groups=464200021(ipatest),464200000(admins) > > > > > > And another: > > > > > > [alvic@NODE-1-1 ~]$ id ipatest > > > > > > uid=464200021(ipatest) gid=464200021(ipatest) > > > groups=464200021(ipatest),464200000(admins) > > > > > > > > > More commonly, this is the case where only primary gid is returned, and > > > both groups are missing: > > > > > > > > > [alvic@NODE-1-2 ~]$ id ipatest > > > > > > uid=464200021(ipatest) gid=464200021(ipatest) groups=464200021(ipatest) > > > > > > > > > > > > The client systems were each provisioned like so, and we have also > tested > > > and found this issue on a totally up to date new CentOS 7 system: > > > > > > > > > ipa-client-install -U -q -p [redacted] --domain=redacted.com --server= > > > ipa.redacted.com --fixed-primary --force-join > > > > > > > > > > > > We have also attempted a full update of the IPA server via yum update > and > > > restarted it but the issue is incredibly common. We have also enabled > sssd > > > debuglevel 7 and I noted the following line: > > > > > > > > > > > > (Tue Jun 16 10:01:09 2020) [sssd[be[redacted.com]]] [sdap_save_user] > > > (0x0400): Original memberOf is not available for [[email protected] > ]. > > > > > > > > > Worth noting that groups display fine for a user, without fail, only if > > > using "ipa user-show" > > Hi, > > there might be a permission issue when reading the memberOf attribute. > > Can you first check if memberOf attributes are shown if you call: > > ipa user-show --all --raw ipatest > > The next step is the check ldapsearch > > kdestroy -A > kinit -k > ldapsearch -Y GSSAPI -b > 'uid=ipatest,cn=users,cn=accounts,dc=your,dc=ipa,dc=domain' > > You can copy the DN ('uid=ipatest,cn=...) from the first line of the > 'ipa user-show' output. Please check if ldapsearch returns the same > memberOf attributes as 'ipa user-show' > > bye, > Sumit > > > > > > > > > > > > > Alfred > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
