[Freeipa-users] Re: Secondary groups intermittently missing from id/groups lookups

Tue, 16 Jun 2020 15:13:21 -0700 

I should note the problem exists on latest CentOS7 with fully up to date
rpms on both client/server.

Alfred

On Tue, Jun 16, 2020 at 3:02 PM Alfred Victor <alvic...@gmail.com> wrote:

> Hi all,
>
> We have built a FreeIPA system and used ipa migrate-ds to migrate and are
> testing the environment however we have a stubbornly persistent issue with
> gid array from posix commands or when dealing with filesystem ownerships.
> When I create a user in IPA, then add some groups, the issue is immediately
> present. In this case these first two below are missing a group ("testers"):
>
> [alvic@HOD28 ~]$ id ipatest
>
> uid=464200021(ipatest) gid=464200021(ipatest)
> groups=464200021(ipatest),464200000(admins)
>
> And another:
>
> [alvic@NODE-1-1 ~]$ id ipatest
>
> uid=464200021(ipatest) gid=464200021(ipatest)
> groups=464200021(ipatest),464200000(admins)
>
>
> More commonly, this is the case where only primary gid is returned, and
> both groups are missing:
>
>
> [alvic@NODE-1-2 ~]$ id ipatest
>
> uid=464200021(ipatest) gid=464200021(ipatest) groups=464200021(ipatest)
>
>
>
> The client systems were each provisioned like so, and we have also tested
> and found this issue on a totally up to date new CentOS 7 system:
>
>
> ipa-client-install -U -q -p [redacted] --domain=redacted.com --server=
> ipa.redacted.com --fixed-primary --force-join
>
>
>
> We have also attempted a full update of the IPA server via yum update and
> restarted it but the issue is incredibly common. We have also enabled sssd
> debuglevel 7 and I noted the following line:
>
>
>
> (Tue Jun 16 10:01:09 2020) [sssd[be[redacted.com]]] [sdap_save_user]
> (0x0400): Original memberOf is not available for [ipat...@redacted.com].
>
>
> Worth noting that groups display fine for a user, without fail, only if
> using "ipa user-show"
>
>
>
> Alfred
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to