On 27.01.21 16:16, Alexander Bokovoy wrote:
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 14:48, Alexander Bokovoy wrote:
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
Check that you are on the system that has glibc with group merging
support and it is configured to do so.
Whats the easiest way to find that out? ldd --version shows me 2.28
I don't know what distro you are using. In RHEL, this support was added
with glibc-2.17-170.el7 on x86_64 and with glibc-2.17-197.el7 on
s390/ppc64.
The easiest way really is to add initgroups statement to nsswitch.conf
and see whether that works.
On RHEL 8 or other authselect-based systems you can modify
/etc/authselect/user-nsswitch.conf to enable initgroups and then
authselect will merge it.
[root@master ~]# fgrep initgroups /etc/authselect/user-nsswitch.conf
# initgroups, netgroup, networks, passwd, protocols, publickey,
# Allow initgroups to default to the setting for group.
initgroups: sss [SUCCESS=merge] files
[root@master ~]# ipa user-add testuser
First name: test
Last name: user
---------------------
Added user "testuser"
---------------------
User login: testuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/testuser
GECOS: test user
Login shell: /bin/sh
Principal name: [email protected]
Principal alias: [email protected]
Email address: [email protected]
UID: 19000024
GID: 19000024
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# getent group audio
audio:x:63:
[root@master ~]# ipa group-add audio --gid 63
-------------------
Added group "audio"
-------------------
Group name: audio
GID: 63
[root@master ~]# ipa group-add-member audio --users testuser
Group name: audio
GID: 63
Member users: testuser
-------------------------
Number of members added 1
-------------------------
[root@master ~]# getent initgroups testuser
testuser 63
[root@master ~]#
Now, if I'd add 'testuser' to 'video' group in /etc/group, 'video' will
be in the list of groups 'testuser' is a member of:
[root@master ~]# fgrep testuser /etc/group
video:x:39:testuser
[root@master ~]# getent initgroups testuser
testuser 63 39
This is on RHEL 8.
On my server (Oracle Linux 8.3) fgrep /etc/authselect/user-nsswitch.conf
returns nothing.
What I did:
- Added "initgroups: sss [SUCCESS=merge] files" as first line in
/etc/nsswitch.conf
- Create [email protected] user in IPA
- usermod -a -G docker [email protected]
getent initgroups [email protected] returns just the user name.
So it seems not to work. Or am I missing something?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
