On Fri, Feb 24, 2017 at 9:12 AM, Michael Wandel <m.wandel@t-online.de
<mailto:m.wandel@t-online.de>> wrote:
On 24.02.2017 14 <tel:24.02.2017%2014>:55, Bernard Fay wrote:
> Hi,
>
> I removed a user from an LDAP group about a week ago. Today, this user
> still shows as member of the group with the Linux command groups. Also,
> the group (Administrators) appears twice in the output of the command id:
> uid=10000(username) gid=10000(Administrators)
> groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators)
>
Can you please let us know about your nss configuration
/etc/nsswitch.conf . IMHO it looks ok that the administrators is the
primary group and also in the groups enumeration.
> The command getent though shows the proper group assignation:
> getent group | grep username | cut -d: -f1
> users
> devel
> video
> ansible
>
> All of those groups are LDAP group.
>
> Does someone knows why and would know how to fix this?
you can't find primary groups for a user with your command, grepping
throug "getent group" . In modern systems aka sssd it is not a good
idea, because enumeration ist by default set to false.
]# grep -Ev "^\#|^$" /etc/nsswitch.conf
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
The user has been removed from the groups Administrators so it should
not show.
I do not use sssd as our LDAP is not secured so I use nscd. This LDAP
is confined a lab.
Thanks,