Hi Spike, Thanks for the response and insight. Sorry for the delay in replying. Yeah it’s an NFS mount and yeah a lot of members belong to more than 16 AD groups ( our AD has been around for a long time and it’s a decent sized enterprise )
I found this while doing some googling. I’m going to give it a shot to see if it fixes the problem. I’ll update this group once I test... will probably be next week b/c of the holiday. https://www.xkyle.com/solving-the-nfs-16-group-limit-problem/ Thanks, Paul Sent from my iPhone On Nov 22, 2020, at 10:22 AM, Spike White <[email protected]> wrote: CAUTION - EXTERNAL EMAIL:Do not click links or open attachments unless you recognize the sender. Is this a NFS mount point? If so, maybe you're hitting the "16 supplemental group" NFS inherent bug. Spike On Fri, Nov 20, 2020 at 2:21 PM Tung, Paul <[email protected]<mailto:[email protected]>> wrote: Hi, I was hoping someone on this list might be able to help. I’m getting permission denied when trying to access a directory owned by root, but with group that I’m a member of. I’m getting: -bash: cd: testdir: Permission denied I have the following scenario: Running CentOS Linux release 7.6.1810 and sssd 1.16.5 I have a mount set up /data/testdir As root, I chown/chmod testdir: Chown root:testgrpa testdir Chmod 770 testdir When I log in as user1, I currently can’t cd into /data/testdir It gives: -bash: cd: testdir: Permission denied user1 is a member of testgrpa: OUTPUT of id user1: uid=129371342(user1) gid=129371342(user1) groups=129371342(user1) ,29042750285(group1),1435459822(group2),3456349245(group3),……,239705249(testgrpa) OUTPUT of getent group testgrpa: testgrpa:*: 239705249:user1,user2,user2,user4,…..,user50 CONTENTS OF Sssd.conf: [sssd] config_file_version = 2 services = nss,pam domains = dept.domain.com<https://urldefense.com/v3/__http://dept.domain.com__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOXbxZjrc$> [nss] filter_users = root filter_groups = root [pam] [domain/dept.domai.com<https://urldefense.com/v3/__http://dept.domai.com__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOqJgxeAQ$>] id_provider = ldap auth_provider = ldap access_provider = ldap ldap_use_tokengroups = false enumerate = false cache_credentials = True case_sensitive = false ignore_group_members = false auto_private_groups = true ldap_schema = ad ldap_uri = ldaps://ldapsserver.dept.domain.com:636<https://urldefense.com/v3/__http://ldapsserver.dept.domain.com:636__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOJNHLMOo$> ldap_user_search_base = dc=ad,dc=dept,dc=domain,dc=com ldap_group_search_base = OU=Security Groups,OU=Groups,dc=ad,dc=dept,dc=domain,dc=com?sub?(|(cn=domain users)(cn=testgrpa)) ldap_referrals = False ldap_group_nesting_level = 3 ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd ldap_use_tokengroups = True ldap_id_mapping = True override_homedir = /mnt/exports/shared/home/%u fallback_homedir = /shared/home/%u default_shell = /bin/bash ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = (|(memberOf=cn=testgrpa,OU=Security Groups,OU=Groups,DC=ad,DC=dept,DC=domain,DC=com)) ldap_default_bind_dn = <service account> ldap_default_authtok_type = obfuscated_password ldap_default_authtok = <authtok> Thanks, Paul T ________________________________ UCLA HEALTH SCIENCES IMPORTANT WARNING: This email (and any attachments) is only intended for the use of the person or entity to which it is addressed, and may contain information that is privileged and confidential. You, the recipient, are obligated to maintain it in a safe, secure and confidential manner. Unauthorized redisclosure or failure to maintain confidentiality may subject you to federal and state penalties. If you are not the intended recipient, please immediately notify us by return email, and delete this message from your computer. _______________________________________________ sssd-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/code-of-conduct/__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOm_IGrt0$> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_guidelines__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOhIou138$> List Archives: https://lists.fedorahosted.org/archives/list/[email protected]<https://urldefense.com/v3/__https://lists.fedorahosted.org/archives/list/[email protected]__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOE1_Y6zI$> _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/code-of-conduct/__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOm_IGrt0$ [docs[.]fedoraproject[.]org] List Guidelines: https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_guidelines__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOhIou138$ [fedoraproject[.]org] List Archives: https://urldefense.com/v3/__https://lists.fedorahosted.org/archives/list/[email protected]__;!!F9wkZZsI-LA!R8vvfkdVX0DbfOVnH_fiZY8D5BWYZKOwbv3ot6TbTkqkw7CYQjT_en8DOzfOE1_Y6zI$ [lists[.]fedorahosted[.]org]
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
