Thanks, We talk about a single nesting level so it is likely a bug. The true is that 'id -a' always shows a correct information so this is more like a nuisance rather than a bug affecting production. Also sss_cache -g G does not help, but restarting sssd & delete cache does help.
Hard to replicate so just a FYI that is happens. Ondrej >-----Original Message----- >From: Jakub Hrozek [mailto:[email protected]] >Sent: Monday, June 12, 2017 3:16 PM >To: [email protected] >Subject: [SSSD-users] Re: Inconsistent group membership > >On Mon, Jun 12, 2017 at 12:20:24PM +0000, Ondrej Valousek wrote: >> Hi, >> >> For some users I experience inconsistent group membership, i.e. "getent >group G" does not list user U as a member, but "id -a U" command shows the >group G. >> Is that normal or a known issue? > >This can be normal, depending on the group nesting. "getent group" only >processes the group members down to a certain nesting level (see >ldap_group_nesting_level). This is because normally the getent group output >is not used by anything authoritative and at the same time, processing all >group members can be quite expensive. > >On the other hand, the result of initgroups (id -G) is used to establish the >list >of the supplementary groups the user is a member of, so it's crucial it's >correct >and contains all the groups. > >So the first thing I would try is to check how deep is the member in the >hierarchy starting from the group you are resolving by getent group. If it's >two >or more levels, try increasing the nesting limit. Otherwise, I would say it >would >be a bug.. >_______________________________________________ >sssd-users mailing list -- [email protected] To unsubscribe >send an email to [email protected] ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: [email protected]. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
