On 15.1.2016 15:55, Rob Crittenden wrote: > Petr Spacek wrote: >> On 15.1.2016 08:48, David Kupka wrote: >>> On 14/01/16 22:09, Rob Crittenden wrote: >>>> Prasun Gera wrote: >>>>> This is an old thread, but I can confirm that this is still an issue on >>>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated >>>>> with groups, but group membership through GID is broken. I had migrated >>>>> all old NIS accounts into ipa. I then added the host enrollment role to >>>>> a particular group. Now, unless I add the users to the group explicitly, >>>>> they won't get the role, even if their gid is the same as the gid of the >>>>> group. >>>> >>>> The user GIDNumber just sets the default group for POSIX. If you do >>>> groups on the user I'll bet it shows correctly. >>>> >>>> For the purposes of IPA access control, as you've seen, the user must >>>> have a memberOf for a given group, either directly or indirectly. >>>> >>>> rob >>>> >>> >>> Exactly, but the question is, shouldn't IPA add this membership >>> automatically? >>> (Of course, only in case IPA has group with this GID.) >> >> IMHO we should. Currently, the user effectively has different group >> membership >> on POSIX systems and non-POSIX systems which read only member attribute. I >> think that this is surprising and inconsistent. > > Seems like next step is to open the RFE. > > I wouldn't characterize it as POSIX vs non-POSIX as that could confuse > things. It is just that if the user doesn't have a UPG then they > probably don't have a memberOf for their GID group.
https://fedorahosted.org/freeipa/ticket/5613 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
