Re: user removed from ldap group but Linux groups command still shows user as member of the group

On 24.02.2017 15:56, Bernard Fay wrote:

Stopping nscd did not change anything. "groups username" still shows user as member of Administrators.

please can you make an ldapsearch for the object username and the output from getent passwd username.

best regards Michael

On Fri, Feb 24, 2017 at 9:50 AM, Mark Coetser <mark@pkfnet.co.za mailto:mark@pkfnet.co.za> wrote:

stop nscd and check again.

-- 
Thank you,

Mark Adrian Coetser
mark@pkfnet.co.za <mailto:mark@pkfnet.co.za>

... bleakness ... desolation ... plastic forks ...


On 24/02/2017 16:40, Bernard Fay wrote:


    On Fri, Feb 24, 2017 at 9:12 AM, Michael Wandel
    <m.wandel@t-online.de <mailto:m.wandel@t-online.de>
    <mailto:m.wandel@t-online.de <mailto:m.wandel@t-online.de>>> wrote:


        On 24.02.2017 14 <tel:24.02.2017%2014>
    <tel:24.02.2017%2014>:55, Bernard Fay wrote:
        > Hi,
        >
        > I removed a user from an LDAP group about a week ago.
    Today, this user
        > still shows as member of the group with the Linux command
    groups. Also,
        > the group (Administrators) appears twice in the output of
    the command id:
        > uid=10000(username) gid=10000(Administrators)
        >
    groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators)
        >

        Can you please let us know about your nss configuration
        /etc/nsswitch.conf . IMHO it looks ok that the
    administrators is the
        primary group and also in the groups enumeration.

        > The command getent though shows the proper group assignation:
        > getent group | grep username | cut -d: -f1
        > users
        > devel
        > video
        > ansible
        >
        > All of those groups are LDAP group.
        >
        > Does someone knows why and would know how to fix this?

        you can't find primary groups for a user with your command,
    grepping
        throug "getent group" . In modern systems aka sssd it is not
    a good
        idea, because enumeration ist by default set to false.



    ]# grep -Ev "^\#|^$" /etc/nsswitch.conf
    passwd:     files sss ldap
    shadow:     files sss ldap
    group:      files sss ldap
    hosts:      files dns
    bootparams: nisplus [NOTFOUND=return] files
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files
    rpc:        files
    services:   files sss
    netgroup:   files sss ldap
    publickey:  nisplus
    automount:  files ldap
    aliases:    files nisplus


    The user has been removed from the groups Administrators so it
    should
    not show.

    I do not use sssd as our LDAP is not secured so I use nscd. 
    This LDAP
    is confined a lab.

    Thanks,