On Mon, 2012-05-07 at 11:27 +0200, Buchan Milne wrote:
On Monday, 7 May 2012 08:04:34 Braden McDaniel wrote:
On Sun, 2012-05-06 at 22:21 -0700, Chris Jacobs wrote:
Or restarted sssd?
I've restarted both the client machine and the server; so, yes.
What is your OS?
Fedora 17 prerelease.
Have you googled for ldap cache and your os?
I have. I haven't come up with much, so far.
Might pam be caching any of this stuff?
What else have you tried?
If I remove the user from the group in LDAP, that is reflected in the output of "groups". But, when I add it back, "groups" shows the (local) group associated with the old GID, not the new one.
So it's as if something on the client side has gotten the group *name* from LDAP and has locally cached an association with the old GID.
You have a local group and an LDAP group, with the same name, and different GIDs?
Not "have"; *had*. I changed the LDAP group GID to match the local grou GID. But "groups" still shows the local group associated with the old GID.
Depending on your nss configuration (in /etc/nsswitch.conf), you will either get the local group, or the LDAP group definition.
The old GID is getting passed along and is associated with the group that it maps to locally by a tool like "groups".
If I understand your setup, this is the correct behaviour.
Provide the output of 'id username'.
$ id braden uid=1000(braden) gid=100(users) groups=100(users),497(desktop_admin_r),988(ccache),990(pulse-access)
And here are the POSIX groups I've defined in LDAP:
$ ldapsearch -x -H ldap://ldap.endoframe.net -D "cn=Manager,dc=endoframe,dc=net" -W "objectClass=posixGroup" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=endoframe,dc=net> (default) with scope subtree # filter: objectClass=posixGroup # requesting: ALL #
# users, Groups, endoframe.net dn: cn=users,ou=Groups,dc=endoframe,dc=net objectClass: top objectClass: posixGroup cn: users gidNumber: 100 memberUid: braden
# ccache, Groups, endoframe.net dn: cn=ccache,ou=Groups,dc=endoframe,dc=net objectClass: top objectClass: posixGroup cn: ccache gidNumber: 988 memberUid: braden
# desktop_admin_r, Groups, endoframe.net dn: cn=desktop_admin_r,ou=Groups,dc=endoframe,dc=net objectClass: top objectClass: posixGroup gidNumber: 497 cn: desktop_admin_r memberUid: braden
# desktop_user_r, Groups, endoframe.net dn: cn=desktop_user_r,ou=Groups,dc=endoframe,dc=net objectClass: top objectClass: posixGroup gidNumber: 496 cn: desktop_user_r
# mock, Groups, endoframe.net dn: cn=mock,ou=Groups,dc=endoframe,dc=net objectClass: top objectClass: posixGroup cn: mock gidNumber: 989 memberUid: braden
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
If none of your groups have spaces in the name, the following might also be useful:
$ for i in `groups username|awk -F: '{print $2}'`;do getent group|grep "^$i:";done
$ getent group | grep "^pulse-access:" pulse-access:x:990: $ getent group | grep "^mock:" mock:x:989:
The mock group in LDAP used to have GID 990; I changed it to 989 (as shown in the ldapsearch results above).