Discussion:
[Freeipa-users] GID, groups and ipa group-show
bahan w
2015-08-21 13:21:00 UTC
Permalink
Hello !

I contact you because I notice something strange with IPA environment.

I created a group :
ipa group-add g1 --desc="my first group"

Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1 --shell=/bin/bash
--gidnumber=${GID1} u1

Then when I perform ipa group-show g1 command, I got the following result :
###
Group name: g1
Description: my first group
GID: <gid1>
###

Same for ipa user-show u1 :
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
Email address: u1@<MYDOMAIN>
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###

These 2 commands does not see u1 as a member of g1.
When I try the command id u1, I can see the group :

###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###

Is it the normal behaviour of these IPA commands ?

Best regards.

Bahan
David Kupka
2015-08-24 09:01:17 UTC
Permalink
Post by bahan w
Hello !
I contact you because I notice something strange with IPA environment.
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1 --shell=/bin/bash
--gidnumber=${GID1} u1
###
Group name: g1
Description: my first group
GID: <gid1>
###
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!

I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in a way.

You can have following entries in the aforementioned files

[/etc/group]
...
g1:x:<gid1>:
...

[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...

Looking in /etc/group you can't see user 'u1' is member of group 'g1'
but tools like id, groups, getent shows this information.

On the other hand it would be useful to show these "implicit" members in
group-show output.
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Prasun Gera
2016-01-14 00:40:31 UTC
Permalink
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated with
groups, but group membership through GID is broken. I had migrated all old
NIS accounts into ipa. I then added the host enrollment role to a
particular group. Now, unless I add the users to the group explicitly, they
won't get the role, even if their gid is the same as the gid of the group.
Post by David Kupka
Post by bahan w
Hello !
I contact you because I notice something strange with IPA environment.
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1 --shell=/bin/bash
--gidnumber=${GID1} u1
###
Group name: g1
Description: my first group
GID: <gid1>
###
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!
I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in a way.
You can have following entries in the aforementioned files
[/etc/group]
...
...
[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...
Looking in /etc/group you can't see user 'u1' is member of group 'g1' but
tools like id, groups, getent shows this information.
On the other hand it would be useful to show these "implicit" members in
group-show output.
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket
)?
--
David Kupka
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2016-01-14 21:09:55 UTC
Permalink
Post by Prasun Gera
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.
The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.

For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.

rob
Post by Prasun Gera
Hello !
I contact you because I notice something strange with IPA environment.
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1
--shell=/bin/bash
--gidnumber=${GID1} u1
###
Group name: g1
Description: my first group
GID: <gid1>
###
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!
I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in a way.
You can have following entries in the aforementioned files
[/etc/group]
...
...
[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...
Looking in /etc/group you can't see user 'u1' is member of group
'g1' but tools like id, groups, getent shows this information.
On the other hand it would be useful to show these "implicit"
members in group-show output.
Could you please file a ticket
(https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
David Kupka
2016-01-15 07:48:19 UTC
Permalink
Post by Rob Crittenden
Post by Prasun Gera
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.
The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.
For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.
rob
Exactly, but the question is, shouldn't IPA add this membership
automatically? (Of course, only in case IPA has group with this GID.)

David
Post by Rob Crittenden
Post by Prasun Gera
Hello !
I contact you because I notice something strange with IPA environment.
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1
--shell=/bin/bash
--gidnumber=${GID1} u1
Then when I perform ipa group-show g1 command, I got the
###
Group name: g1
Description: my first group
GID: <gid1>
###
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!
I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in a way.
You can have following entries in the aforementioned files
[/etc/group]
...
...
[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...
Looking in /etc/group you can't see user 'u1' is member of group
'g1' but tools like id, groups, getent shows this information.
On the other hand it would be useful to show these "implicit"
members in group-show output.
Could you please file a ticket
(https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Petr Spacek
2016-01-15 08:31:10 UTC
Permalink
Post by Rob Crittenden
Post by Prasun Gera
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.
The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.
For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.
rob
Exactly, but the question is, shouldn't IPA add this membership automatically?
(Of course, only in case IPA has group with this GID.)
IMHO we should. Currently, the user effectively has different group membership
on POSIX systems and non-POSIX systems which read only member attribute. I
think that this is surprising and inconsistent.

Petr^2 Spacek
David
Post by Rob Crittenden
Post by Prasun Gera
Hello !
I contact you because I notice something strange with IPA
environment.
ipa group-add g1 --desc="my first group"
Then I created a user with the GID of g1
GID1=`ipa group-show g1 | awk '/GID/ {printf("%s",$2)}'`
ipa user-add --first=u1 --last=u1 --homedir=/home/u1
--shell=/bin/bash
--gidnumber=${GID1} u1
Then when I perform ipa group-show g1 command, I got the
###
Group name: g1
Description: my first group
GID: <gid1>
###
###
User login: u1
First name: u1
Last name: u1
Home directory: /home/u1
Login shell: /bin/bash
UID: <uid1>
GID: <gid1>
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
###
These 2 commands does not see u1 as a member of g1.
###
id u1
uid=<uid1>(u1) gid=<gid1>(g1) groups=<gid1>(g1)
###
Is it the normal behaviour of these IPA commands ?
Best regards.
Bahan
Hello!
I'm not sure if this is intended and/or correct behavior or not.
Looking at /etc/passwd and /etc/group I see it behaves similarly in a way.
You can have following entries in the aforementioned files
[/etc/group]
...
...
[/etc/passwd]
...
u1:x:<uid1>:<gid1>::/home/u1:/bin/bash
...
Looking in /etc/group you can't see user 'u1' is member of group
'g1' but tools like id, groups, getent shows this information.
On the other hand it would be useful to show these "implicit"
members in group-show output.
Could you please file a ticket
(https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2016-01-15 14:55:31 UTC
Permalink
Post by Petr Spacek
Post by Rob Crittenden
Post by Prasun Gera
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.
The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.
For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.
rob
Exactly, but the question is, shouldn't IPA add this membership automatically?
(Of course, only in case IPA has group with this GID.)
IMHO we should. Currently, the user effectively has different group membership
on POSIX systems and non-POSIX systems which read only member attribute. I
think that this is surprising and inconsistent.
Seems like next step is to open the RFE.

I wouldn't characterize it as POSIX vs non-POSIX as that could confuse
things. It is just that if the user doesn't have a UPG then they
probably don't have a memberOf for their GID group.

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Petr Spacek
2016-01-18 11:42:02 UTC
Permalink
Post by Rob Crittenden
Post by Petr Spacek
Post by Rob Crittenden
Post by Prasun Gera
This is an old thread, but I can confirm that this is still an issue on
RHEL 7.2 + 4.2. This creates problems when there are roles associated
with groups, but group membership through GID is broken. I had migrated
all old NIS accounts into ipa. I then added the host enrollment role to
a particular group. Now, unless I add the users to the group explicitly,
they won't get the role, even if their gid is the same as the gid of the
group.
The user GIDNumber just sets the default group for POSIX. If you do
groups on the user I'll bet it shows correctly.
For the purposes of IPA access control, as you've seen, the user must
have a memberOf for a given group, either directly or indirectly.
rob
Exactly, but the question is, shouldn't IPA add this membership automatically?
(Of course, only in case IPA has group with this GID.)
IMHO we should. Currently, the user effectively has different group membership
on POSIX systems and non-POSIX systems which read only member attribute. I
think that this is surprising and inconsistent.
Seems like next step is to open the RFE.
I wouldn't characterize it as POSIX vs non-POSIX as that could confuse
things. It is just that if the user doesn't have a UPG then they
probably don't have a memberOf for their GID group.
https://fedorahosted.org/freeipa/ticket/5613
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...