On 15.1.2016 15:55, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 15.1.2016 08:48, David Kupka wrote:
>>> On 14/01/16 22:09, Rob Crittenden wrote:
>>>> Prasun Gera wrote:
>>>>> This is an old thread, but I can confirm that this is still an issue on
>>>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated
>>>>> with groups, but group membership through GID is broken. I had migrated
>>>>> all old NIS accounts into ipa. I then added the host enrollment role to
>>>>> a particular group. Now, unless I add the users to the group explicitly,
>>>>> they won't get the role, even if their gid is the same as the gid of the
>>>>> group.
>>>>
>>>> The user GIDNumber just sets the default group for POSIX. If you do
>>>> groups on the user I'll bet it shows correctly.
>>>>
>>>> For the purposes of IPA access control, as you've seen, the user must
>>>> have a memberOf for a given group, either directly or indirectly.
>>>>
>>>> rob
>>>>
>>>
>>> Exactly, but the question is, shouldn't IPA add this membership 
>>> automatically?
>>> (Of course, only in case IPA has group with this GID.)
>>
>> IMHO we should. Currently, the user effectively has different group 
>> membership
>> on POSIX systems and non-POSIX systems which read only member attribute. I
>> think that this is surprising and inconsistent.
> 
> Seems like next step is to open the RFE.
> 
> I wouldn't characterize it as POSIX vs non-POSIX as that could confuse
> things. It is just that if the user doesn't have a UPG then they
> probably don't have a memberOf for their GID group.

https://fedorahosted.org/freeipa/ticket/5613

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to