On 15.1.2016 08:48, David Kupka wrote: > On 14/01/16 22:09, Rob Crittenden wrote: >> Prasun Gera wrote: >>> This is an old thread, but I can confirm that this is still an issue on >>> RHEL 7.2 + 4.2. This creates problems when there are roles associated >>> with groups, but group membership through GID is broken. I had migrated >>> all old NIS accounts into ipa. I then added the host enrollment role to >>> a particular group. Now, unless I add the users to the group explicitly, >>> they won't get the role, even if their gid is the same as the gid of the >>> group. >> >> The user GIDNumber just sets the default group for POSIX. If you do >> groups on the user I'll bet it shows correctly. >> >> For the purposes of IPA access control, as you've seen, the user must >> have a memberOf for a given group, either directly or indirectly. >> >> rob >> > > Exactly, but the question is, shouldn't IPA add this membership automatically? > (Of course, only in case IPA has group with this GID.)
IMHO we should. Currently, the user effectively has different group membership on POSIX systems and non-POSIX systems which read only member attribute. I think that this is surprising and inconsistent. Petr^2 Spacek > > David > >>> On Mon, Aug 24, 2015 at 5:01 AM, David Kupka <dku...@redhat.com >>> <mailto:dku...@redhat.com>> wrote: >>> >>> On 21/08/15 15:21, bahan w wrote: >>> >>> Hello ! >>> >>> I contact you because I notice something strange with IPA >>> environment. >>> >>> I created a group : >>> ipa group-add g1 --desc="my first group" >>> >>> Then I created a user with the GID of g1 >>> GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'` >>> ipa user-add --first=u1 --last=u1 --homedir=/home/u1 >>> --shell=/bin/bash >>> --gidnumber=${GID1} u1 >>> >>> Then when I perform ipa group-show g1 command, I got the >>> following result : >>> ### >>> Group name: g1 >>> Description: my first group >>> GID: <gid1> >>> ### >>> >>> Same for ipa user-show u1 : >>> ### >>> User login: u1 >>> First name: u1 >>> Last name: u1 >>> Home directory: /home/u1 >>> Login shell: /bin/bash >>> Email address: u1@<MYDOMAIN> >>> UID: <uid1> >>> GID: <gid1> >>> Account disabled: False >>> Password: False >>> Member of groups: ipausers >>> Kerberos keys available: False >>> ### >>> >>> These 2 commands does not see u1 as a member of g1. >>> When I try the command id u1, I can see the group : >>> >>> ### >>> id u1 >>> uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1) >>> ### >>> >>> Is it the normal behaviour of these IPA commands ? >>> >>> Best regards. >>> >>> Bahan >>> >>> >>> >>> Hello! >>> >>> I'm not sure if this is intended and/or correct behavior or not. >>> Looking at /etc/passwd and /etc/group I see it behaves similarly in >>> a way. >>> >>> You can have following entries in the aforementioned files >>> >>> [/etc/group] >>> ... >>> g1:x:<gid1>: >>> ... >>> >>> [/etc/passwd] >>> ... >>> u1:x:<uid1>:<gid1>::/home/u1:/bin/bash >>> ... >>> >>> Looking in /etc/group you can't see user 'u1' is member of group >>> 'g1' but tools like id, groups, getent shows this information. >>> >>> On the other hand it would be useful to show these "implicit" >>> members in group-show output. >>> Could you please file a ticket >>> (https://fedorahosted.org/freeipa/newticket)? >>> >>> -- >>> David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project