On Monday, 7 May 2012 08:04:34 Braden McDaniel wrote:
On Sun, 2012-05-06 at 22:21 -0700, Chris Jacobs wrote:
Or restarted sssd?
I've restarted both the client machine and the server; so, yes.
What is your OS?
Fedora 17 prerelease.
Have you googled for ldap cache and your os?
I have. I haven't come up with much, so far.
Might pam be caching any of this stuff?
What else have you tried?
If I remove the user from the group in LDAP, that is reflected in the output of "groups". But, when I add it back, "groups" shows the (local) group associated with the old GID, not the new one.
So it's as if something on the client side has gotten the group *name* from LDAP and has locally cached an association with the old GID.
You have a local group and an LDAP group, with the same name, and different GIDs? Depending on your nss configuration (in /etc/nsswitch.conf), you will either get the local group, or the LDAP group definition.
The old GID is getting passed along and is associated with the group that it maps to locally by a tool like "groups".
If I understand your setup, this is the correct behaviour.
Provide the output of 'id username'. If none of your groups have spaces in the name, the following might also be useful:
$ for i in `groups username|awk -F: '{print $2}'`;do getent group|grep "^$i:";done
Regards, Buchan