Hi all
I am not sure if this is the list for this question. Currently I have the issue on "newgrp" on AIX systems.
When a LDAP user logon, he can see all his primary and secondary groups from LDAP by "id" and "groups" commands. But the "newgrp" command only allows him to change to the first secondary group in the list. Screen print is here:
$ setgroups
k232524:
user groups = Ltech
process groups = Ltech,oscargrp,secgrp1,secgrp2,secgrp3
$ id
uid=1232524(k232524) gid=1232524(k232524) groups=1000001(Ltech),10000004(oscargrp),1000005(secgrp1),1000006
(secgrp2),1000007(secgrp3)
$ groups
Ltech oscargrp secgrp1 secgrp2 secgrp3
$ newgrp Ltech
$ newgrp secgrp2
3004-676 "secgrp2" not in current user groupset.
For a local user, the values of "user groups" and "process groups" are the same. But for a LDAP user, they are different! The "user group" only contains the first secondary group from LDAP and the rest is gone. However, the "process groups" is right.
I am using NSS_LDAP 2.33, OpenSSL 0.9.7d, OpenLDAP 2.2.20. Here is how I compile my OpenLDAP, we only need that client part:
./configure --prefix=/opt/ldap/openldap-2.2.20 --with-tls --disable-slapd --enable-static --with-threads
Someone told me that they have no issue on newgrp on AIX. So I must have done something wrong. We are using iPlanet 5.0 Directory. I wonder if I am missing some attributes in my group object. Here is the schema for a group:
dn: cn=secgrp2,ou=group,dc=abc,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 1000006
cn: secgrp2
memberUid: k232524
I have NO issue on Solaris and Linux at all. Just AIX.
Any info is appreciated.
Thanks
Eric