Re: [Freeipa-users] Users not inheriting groups
On Mon, Aug 04, 2014 at 09:18:11AM +0200, Jakub Hrozek wrote: > On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > Thanks for your help, > > > > The group memberships are propagated properly on the server side: > > > > dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org > > uid: user > > givenname: userfn > > sn: userln > > cn: userfn userln > > displayname: userfn userln > > initials: uu > > homedirectory: /home/user > > gecos: userfn userln > > loginshell: /bin/bash > > krbprincipalname: u...@org.org > > mail: u...@cenic.org > > uidnumber: 1080 > > gidnumber: 1080 > > nsaccountlock: False > > has_password: True > > has_keytab: True > > ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50 > > krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA== > > krblastfailedauth: 20140731220341Z > > krblastpwdchange: 20140724210440Z > > krblastsuccessfulauth: 20140731223953Z > > krbloginfailedcount: 0 > > krbpasswordexpiration: 20141022210440Z > > krbpwdpolicyreference: > > cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org > > memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org > > memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org > > memberof: > > cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org > > memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org > > memberofindirect: > > ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org > > memberofindirect: > > ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org > > memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org > > memberofindirect: > > cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org > > memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org > > memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org > > mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org > > objectclass: top > > objectclass: person > > objectclass: organizationalperson > > objectclass: inetorgperson > > objectclass: inetuser > > objectclass: posixaccount > > objectclass: krbprincipalaux > > objectclass: krbticketpolicyaux > > objectclass: ipaobject > > objectclass: ipasshuser > > objectclass: ipaSshGroupOfPubKeys > > objectclass: mepOriginEntry > > > > This has been scrubbed, the group that is not being seen on the client > > side is the rancid group, which is showing up here. > > OK, then we know we're looking at a client side problem. > > Can you: > 1) service sssd stop > 2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss] > and [domain] sections > 3) service sssd start > 4) sss_cache -UG > 5) id -G $username > > Then attach the logs found at /var/log/sssd/sssd_$domain.log > > If you feel the logs are too sensitive for a mailing list, you can > send them directly to me and CC: pbrezina -at- redhat -dot- com btw do all the groups have a POSIX ID ? We currently have a bug in SSSD where we don't resolve non-POSIX groups correctly. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Users not inheriting groups
On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Thanks for your help, > > The group memberships are propagated properly on the server side: > > dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org > uid: user > givenname: userfn > sn: userln > cn: userfn userln > displayname: userfn userln > initials: uu > homedirectory: /home/user > gecos: userfn userln > loginshell: /bin/bash > krbprincipalname: u...@org.org > mail: u...@cenic.org > uidnumber: 1080 > gidnumber: 1080 > nsaccountlock: False > has_password: True > has_keytab: True > ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50 > krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA== > krblastfailedauth: 20140731220341Z > krblastpwdchange: 20140724210440Z > krblastsuccessfulauth: 20140731223953Z > krbloginfailedcount: 0 > krbpasswordexpiration: 20141022210440Z > krbpwdpolicyreference: > cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org > memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org > memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org > memberof: > cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org > memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org > memberofindirect: > ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org > memberofindirect: > ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org > memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org > memberofindirect: > cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org > memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org > memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org > mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org > objectclass: top > objectclass: person > objectclass: organizationalperson > objectclass: inetorgperson > objectclass: inetuser > objectclass: posixaccount > objectclass: krbprincipalaux > objectclass: krbticketpolicyaux > objectclass: ipaobject > objectclass: ipasshuser > objectclass: ipaSshGroupOfPubKeys > objectclass: mepOriginEntry > > This has been scrubbed, the group that is not being seen on the client > side is the rancid group, which is showing up here. OK, then we know we're looking at a client side problem. Can you: 1) service sssd stop 2) edit /etc/sssd/sssd.conf and put debug_level=7 into both [nss] and [domain] sections 3) service sssd start 4) sss_cache -UG 5) id -G $username Then attach the logs found at /var/log/sssd/sssd_$domain.log If you feel the logs are too sensitive for a mailing list, you can send them directly to me and CC: pbrezina -at- redhat -dot- com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Users not inheriting groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thanks for your help, The group memberships are propagated properly on the server side: dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org uid: user givenname: userfn sn: userln cn: userfn userln displayname: userfn userln initials: uu homedirectory: /home/user gecos: userfn userln loginshell: /bin/bash krbprincipalname: u...@org.org mail: u...@cenic.org uidnumber: 1080 gidnumber: 1080 nsaccountlock: False has_password: True has_keytab: True ipauniqueid: 2d01b68e-fb38-11e3-9d0d-525400e99b50 krbextradata: AALodNFTc3JpYXpAQ0VOSUMuT1JHAA== krblastfailedauth: 20140731220341Z krblastpwdchange: 20140724210440Z krblastsuccessfulauth: 20140731223953Z krbloginfailedcount: 0 krbpasswordexpiration: 20141022210440Z krbpwdpolicyreference: cn=global_policy,cn=ORG.ORG,cn=kerberos,dc=org,dc=org memberof: cn=ipausers,cn=groups,cn=accounts,dc=org,dc=org memberof: cn=games,cn=groups,cn=accounts,dc=org,dc=org memberof: cn=engineering_core_engineers,cn=groups,cn=accounts,dc=org,dc=org memberofindirect: cn=rancid_users,cn=groups,cn=accounts,dc=org,dc=org memberofindirect: ipauniqueid=696df694-e690-11e3-8fc8-525400e99b50,cn=sudorules,cn=sudo,dc=org,dc=org memberofindirect: ipauniqueid=a3eb8884-ecdc-11e3-a0df-525400e99b50,cn=ng,cn=alt,dc=org,dc=org memberofindirect: cn=rancid,cn=groups,cn=accounts,dc=org,dc=org memberofindirect: cn=engineering_core,cn=groups,cn=accounts,dc=org,dc=org memberofindirect: cn=engineering,cn=groups,cn=accounts,dc=org,dc=org memberofindirect: cn=staff,cn=groups,cn=accounts,dc=org,dc=org mepmanagedentry: cn=sriaz,cn=groups,cn=accounts,dc=org,dc=org objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry This has been scrubbed, the group that is not being seen on the client side is the rancid group, which is showing up here. Thanks, Bill G. On Fri Aug 1 01:14:32 2014, Jakub Hrozek wrote: > On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> Hi List, >> >> I am running into some odd issues with IPA and users not inheriting >> all groups they are a member of. >> >> I spent a lot of time nesting groups so that when we add a user all of >> the groups they need with one group setting (a boon for automation). >> However I am finding a small percentage of users who are in the proper >> groups in IPA but the server does not pick up all the groups involved, >> until I add those specific users to the group in question. >> >> For clarity: >> >> 1) Most users inherit groups fine >> 2) A small percentage (2-3% discovered so far) Do not inherit one or >> more of the needed groups. >> 3) Work around found by adding users directly to group instead of >> nested in proper group (though less than ideal) > > Hi, > > let's find out if the group memberships propagated correctly on the > server side, first, to isolate where the issues is. > > Can you run: > ipa user-show $faulty_user --all --raw > > on the server, or directly ldapsearch the user so we can see if the user > entry has all the memberof attributes you'd expect? > -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJT29U1AAoJEJFMz73A1+zr/NwQAJesAFdUa5CimrQr6XPqQzhC nk42rscNzf613IWA8QNd40Tns8rZ8PMlijdO5KjR4cnRxelvT9es85ik/kNBP+b1 jxqkCEWyhDJ4mu670NN0c1zALeGalpTjg0iezbtrBDulqH68a4BAYL8B4+QqN70v lBiXw/RznVKuZB/fSyu3KU93plser90kBsQi3xDG+ZZeO9Z3Dk9Fd10+MrxJBsqU GKd/mcL6KXTatj+WJ+IweM51Ple9ssKmVwLvI9NBbtImt2dxAowbHxzbWxi5zKaj H0r9ncRGJcGPo0B/FCEOy9N1+r1Dy940vPt/sfFTjuRoEFGdl7UnUu/j9CtVGITM +q6man2FSD2Vv3f//jYHzEXWZQVRpIhb4TVq9a8ah+TP6fyPeNsK96gSaMOGVos1 rHAx3y92lnqPta3+fO1pdMUaAAWtCaJXbf3m+vsziheID2/+k1ahLEzJUVoubI6S iMiArFtFUUwwwrM87naWH0pn92obuV3LQpFGm2w9nwvWbSQJCpmDQFwlHcw/vhpM OWZTmglPTFtlF+44KGBEWRwZp3bDKIV4/KOEUOaFYDAhtwCWDLepzbW1V5jaAAOX Xm/PK6xTTU07nX1YCsmPephEJxrikXOe4jD6vF4YI2pqzS2dO+hCQuH7HuQ4W4dX ZHXG7T8q9nlOT/kTJ5Pu =PEYa -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Users not inheriting groups
On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi List, > > I am running into some odd issues with IPA and users not inheriting > all groups they are a member of. > > I spent a lot of time nesting groups so that when we add a user all of > the groups they need with one group setting (a boon for automation). > However I am finding a small percentage of users who are in the proper > groups in IPA but the server does not pick up all the groups involved, > until I add those specific users to the group in question. > > For clarity: > > 1) Most users inherit groups fine > 2) A small percentage (2-3% discovered so far) Do not inherit one or > more of the needed groups. > 3) Work around found by adding users directly to group instead of > nested in proper group (though less than ideal) Hi, let's find out if the group memberships propagated correctly on the server side, first, to isolate where the issues is. Can you run: ipa user-show $faulty_user --all --raw on the server, or directly ldapsearch the user so we can see if the user entry has all the memberof attributes you'd expect? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project