On 24.02.2017 15:56, Bernard Fay wrote: > Stopping nscd did not change anything. "groups username" still shows > user as member of Administrators. >
please can you make an ldapsearch for the object username and the output from getent passwd username. best regards Michael > > > On Fri, Feb 24, 2017 at 9:50 AM, Mark Coetser <[email protected] > <mailto:[email protected]>> wrote: > > stop nscd and check again. > > -- > Thank you, > > Mark Adrian Coetser > [email protected] <mailto:[email protected]> > > ... bleakness ... desolation ... plastic forks ... > > > On 24/02/2017 16:40, Bernard Fay wrote: > > > On Fri, Feb 24, 2017 at 9:12 AM, Michael Wandel > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > On 24.02.2017 14 <tel:24.02.2017%2014> > <tel:24.02.2017%2014>:55, Bernard Fay wrote: > > Hi, > > > > I removed a user from an LDAP group about a week ago. > Today, this user > > still shows as member of the group with the Linux command > groups. Also, > > the group (Administrators) appears twice in the output of > the command id: > > uid=10000(username) gid=10000(Administrators) > > > > groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators) > > > > Can you please let us know about your nss configuration > /etc/nsswitch.conf . IMHO it looks ok that the > administrators is the > primary group and also in the groups enumeration. > > > The command getent though shows the proper group assignation: > > getent group | grep username | cut -d: -f1 > > users > > devel > > video > > ansible > > > > All of those groups are LDAP group. > > > > Does someone knows why and would know how to fix this? > > you can't find primary groups for a user with your command, > grepping > throug "getent group" . In modern systems aka sssd it is not > a good > idea, because enumeration ist by default set to false. > > > > ]# grep -Ev "^\#|^$" /etc/nsswitch.conf > passwd: files sss ldap > shadow: files sss ldap > group: files sss ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > netgroup: files sss ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > > The user has been removed from the groups Administrators so it > should > not show. > > I do not use sssd as our LDAP is not secured so I use nscd. > This LDAP > is confined a lab. > > Thanks, > > -- Michael Wandel Braakstraße 43 33647 Bielefeld
