Stopping nscd did not change anything.  "groups username" still shows user as member of Administrators.



On Fri, Feb 24, 2017 at 9:50 AM, Mark Coetser <mark@pkfnet.co.za> wrote:
stop nscd and check again.

--
Thank you,

Mark Adrian Coetser
mark@pkfnet.co.za

... bleakness ... desolation ... plastic forks ...


On 24/02/2017 16:40, Bernard Fay wrote:

On Fri, Feb 24, 2017 at 9:12 AM, Michael Wandel <m.wandel@t-online.de
<mailto:m.wandel@t-online.de>> wrote:


    On 24.02.2017 14 <tel:24.02.2017%2014>:55, Bernard Fay wrote:
    > Hi,
    >
    > I removed a user from an LDAP group about a week ago. Today, this user
    > still shows as member of the group with the Linux command groups. Also,
    > the group (Administrators) appears twice in the output of the command id:
    > uid=10000(username) gid=10000(Administrators)
    > groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators)
    >

    Can you please let us know about your nss configuration
    /etc/nsswitch.conf . IMHO it looks ok that the administrators is the
    primary group and also in the groups enumeration.

    > The command getent though shows the proper group assignation:
    > getent group | grep username | cut -d: -f1
    > users
    > devel
    > video
    > ansible
    >
    > All of those groups are LDAP group.
    >
    > Does someone knows why and would know how to fix this?

    you can't find primary groups for a user with your command, grepping
    throug "getent group" . In modern systems aka sssd it is not a good
    idea, because enumeration ist by default set to false.



]# grep -Ev "^\#|^$" /etc/nsswitch.conf
passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus


The user has been removed from the groups Administrators so it should
not show.

I do not use sssd as our LDAP is not secured so I use nscd.  This LDAP
is confined a lab.

Thanks,