[SSSD] Mixing passwd accounts with LDAP groups issue

Fri, 29 Jun 2012 11:47:13 -0700 

Hi,


I have my user account listed in both /etc/passwd, /etc/shadow and the 
LDAP tree. However, only the LDAP tree has the supplementary group list 
info.

In sssd-1.8.3 and earlier, issuing `getent passwd jengelh` would return 
me all the (primary and) secondary groups I am a mamber of. Something 
like

        uid=25121(jengelh) gid=100(users) 
        groups=100(users),399(abuild),56485(friends),
                27072(netitwork),31327(rdesktop)

In sssd-1.8.93, this is no longer the case, and instead I get:

        uid=25121(jengelh) gid=100(users) groups=100(users),33(video)

`getent group 31327` has to say:

        rdesktop:*:31327:fz,mm,mk

`ldapsearch -x cn=rdesktop`:

        dn: cn=rdesktop,ou=groups,o=borg
        objectClass: posixGroup
        objectClass: top
        objectClass: groupOfNames
        objectClass: sambaGroupMapping
        objectClass: zarafa-group
        cn: rdesktop
        description: Remote Desktop Users
        member: uid=jengelh,ou=users,o=company
        member: uid=fz,ou=users,o=company
        member: uid=mm,ou=users,o=company
        member: uid=mk,ou=users,o=company
        sambaGroupType: 2
        displayName: Remote Desktop
        gidNumber: 31327
        zarafaHidden: 1
        sambaSID: S-1-5-21-2434340325-2384729352-2357823451-12387

If I comment about my entry in /etc/passwd, I do receive the groups from 
LDAP again, but naturally I am missing out on the local groups:

        uid=25121(jengelh) gid=27072(netitwork) 
        groups=27072(netitwork),33(video),56485(friends),
                31327(rdesktop),399(abuild)

It seems like if the user entry is satisfiable from 
/etc/passwd, group lookup is also only limited to passwd. This breaks
with behavior of all previously seen implementations (pam_ldap,..)
which strictly separated user and group lookups like NSS's design set
forth a handful of decades ago.


Side-note supplement:

And then there is the cache coming into play, which provided for a
handful of surprises on its own. Removing the comment hash mark #
from my entry in /etc/passwd again after the previous lookup, I then
get *all* memberships from both local and LDAP:

        uid=25121(jengelh) gid=100(users)
        groups=100(users),33(video),56485(friends),31327(rdesktop),
                27072(netitwork),399(abuild)

so the look-in-passwd-only "misfeature" is not even consistent :)
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to