On Fri, Jan 19, 2024 at 12:39 PM Finn Fysj <[email protected]> wrote: > > > When it gets to DAC, `getgrouplist()` (initgroups list) is what matters. > > > > Does this work properly, i.e. does `id user1` returns all expected groups? > For old systems not using SSSD (nslcd & nscd), this works. I can run id <UID> > and get returned expected groups. > This is not the case for systems (rhel9) using SSSD.
Well, to debug this one needs: - stop sssd - remove old sssd logs (/var/log/sssd/) - set 'debug_level = 9' in [nss] and domain sections of sssd.conf - start sssd - date; id UID - capture logs Then `sssctl analyze --logdir . request list` - it will list 'id' - it will list something like "... [uid 0] CID #1: id" And `sssctl analyze --logdir . request show --merge 1` (where 1 is from CID #1) will show all log messages related to this lookup. Not an easy read, though... -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
