In the message dated: Wed, 29 Jun 2011 15:57:11 EDT, The pithy ruminations from Patrick Cable on <Re: [lopsa-tech] Unix Group Weirdness> were: => On Wed, Jun 29, 2011 at 2:02 PM, Doug Weimer <[email protected]> wrote: => > I'm can't think of how it would affect group enumeration, but check the => > differences in the pam stacks between su and gdm if you're using gnome. =>
I was pretty sure the problem was due to "gnome-terminal" not creating a login shell (we've run into similar issues with environment settings, and now use the "-ls" option instead of preferences). This is getting more interesting since that was proven wrong, and it's good to see other people's troubleshooting suggestions. Hmmm...are you sure that this user's UID (not login name) and GID are unique? I don't know how LDAP enumeration of groups works internally, but for other information sources (files, NIS), there's a linear search--stopping at the first match--for UID & GID info. In other words, if there are multiple group entries for the same UID, the first one that's found wins. Have you tried dumping the group and password data to files and running grpck and pwck to check for any inconsistencies? Mark => I have compared his pam stack for su and gdm to other machines in => which users don't have any issues. They do match. => => > One way to test pam issues is have the user login via various methods and => > see which ones have the correct groups. => > => > 1. Have the user run 'xterm -ls.' Verify it still shows the old groups => It only shows one group, correct. => => > 2. Have the user 'su - username'. Does that show the additional groups? => It shows the additional groups as it should. => => > 3. Have the user ssh to localhost and login. Does that show the additional => > groups? => It shows the additional groups as it should. => => None of these users have root, so anything in the system-wide config => should still remain untouched -- including /etc/pam.d. => _______________________________________________ => Tech mailing list => [email protected] => https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech => This list provided by the League of Professional System Administrators => http://lopsa.org/ => _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
