Is this a NFS mount point? If so, maybe you're hitting the "16 supplemental group" NFS inherent bug.
Spike On Fri, Nov 20, 2020 at 2:21 PM Tung, Paul <[email protected]> wrote: > Hi, > > > > I was hoping someone on this list might be able to help. > > I’m getting permission denied when trying to access a directory owned by > root, but with group that I’m a member of. > > I’m getting: -bash: cd: testdir: Permission denied > > > > I have the following scenario: > > Running CentOS Linux release 7.6.1810 and sssd 1.16.5 > > > > I have a mount set up /data/testdir > > As root, I chown/chmod testdir: > > Chown root:testgrpa testdir > > Chmod 770 testdir > > > > When I log in as user1, I currently can’t cd into /data/testdir > > It gives: > > -bash: cd: testdir: Permission denied > > > > user1 is a member of testgrpa: > > OUTPUT of id user1: > > uid=129371342(user1) gid=129371342(user1) groups=129371342(user1) > ,29042750285(group1),1435459822(group2),3456349245(group3),……, > *239705249(testgrpa)* > > > > OUTPUT of getent group testgrpa: > > testgrpa:*: 239705249:*user1*,user2,user2,user4,…..,user50 > > > > > > CONTENTS OF Sssd.conf: > > [sssd] > > config_file_version = 2 > > services = nss,pam > > domains = dept.domain.com > > > > [nss] > > filter_users = root > > filter_groups = root > > > > [pam] > > > > [domain/dept.domai.com] > > id_provider = ldap > > auth_provider = ldap > > access_provider = ldap > > ldap_use_tokengroups = false > > > > enumerate = false > > cache_credentials = True > > case_sensitive = false > > ignore_group_members = false > > auto_private_groups = true > > > > ldap_schema = ad > > > > ldap_uri = ldaps://ldapsserver.dept.domain.com:636 > > ldap_user_search_base = dc=ad,dc=dept,dc=domain,dc=com > > ldap_group_search_base = OU=Security > Groups,OU=Groups,dc=ad,dc=dept,dc=domain,dc=com?sub?(|(cn=domain > users)(cn=testgrpa)) > > ldap_referrals = False > > ldap_group_nesting_level = 3 > > > > ldap_tls_reqcert = allow > > ldap_tls_cacertdir = /etc/sssd > > > > ldap_use_tokengroups = True > > ldap_id_mapping = True > > > > override_homedir = /mnt/exports/shared/home/%u > > fallback_homedir = /shared/home/%u > > > > default_shell = /bin/bash > > > > ldap_access_order = filter, expire > > ldap_account_expire_policy = ad > > ldap_access_filter = (|(memberOf=cn=testgrpa,OU=Security > Groups,OU=Groups,DC=ad,DC=dept,DC=domain,DC=com)) > > > > ldap_default_bind_dn = <service account> > > ldap_default_authtok_type = obfuscated_password > > ldap_default_authtok = <authtok> > > > > > > Thanks, > > > > *Paul T* > > ------------------------------ > > UCLA HEALTH SCIENCES IMPORTANT WARNING: This email (and any attachments) > is only intended for the use of the person or entity to which it is > addressed, and may contain information that is privileged and confidential. > You, the recipient, are obligated to maintain it in a safe, secure and > confidential manner. Unauthorized redisclosure or failure to maintain > confidentiality may subject you to federal and state penalties. If you are > not the intended recipient, please immediately notify us by return email, > and delete this message from your computer. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
