[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user removed from ldap group but Linux groups command still shows user as member of the group

To: Bernard Fay <bernard.fay@gmail.com>, openldap-technical@openldap.org
Subject: Re: user removed from ldap group but Linux groups command still shows user as member of the group
From: Michael Wandel <m.wandel@t-online.de>
Date: Fri, 24 Feb 2017 16:06:40 +0100
In-reply-to: <CAH3AE4ZpzU6WW0LTFRB5q0jFziXX=j4ZJDy6UcWA5pOxEoBR9w@mail.gmail.com>
References: <CAH3AE4b16BtcjR+G0Yk7s-AERFfVkCvgY4FCv77i+xEy5JQLow@mail.gmail.com> <aca87856-9608-91c3-f41c-141ae648529d@t-online.de> <CAH3AE4ZMdmbHyZms5tXAi029vthz3S1q0rozD3rCmVw1_dAhMQ@mail.gmail.com> <91ac60d2-01fc-522e-65eb-890c5cab3657@pkfnet.co.za> <CAH3AE4ZpzU6WW0LTFRB5q0jFziXX=j4ZJDy6UcWA5pOxEoBR9w@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0

On 24.02.2017 15:56, Bernard Fay wrote:
> Stopping nscd did not change anything.  "groups username" still shows
> user as member of Administrators.
> 

please can you make an ldapsearch for the object username and the output
from getent passwd username.

best regards
Michael
> 
> 
> On Fri, Feb 24, 2017 at 9:50 AM, Mark Coetser <mark@pkfnet.co.za
> <mailto:mark@pkfnet.co.za>> wrote:
> 
>     stop nscd and check again.
> 
>     -- 
>     Thank you,
> 
>     Mark Adrian Coetser
>     mark@pkfnet.co.za <mailto:mark@pkfnet.co.za>
> 
>     ... bleakness ... desolation ... plastic forks ...
> 
> 
>     On 24/02/2017 16:40, Bernard Fay wrote:
> 
> 
>         On Fri, Feb 24, 2017 at 9:12 AM, Michael Wandel
>         <m.wandel@t-online.de <mailto:m.wandel@t-online.de>
>         <mailto:m.wandel@t-online.de <mailto:m.wandel@t-online.de>>> wrote:
> 
> 
>             On 24.02.2017 14 <tel:24.02.2017%2014>
>         <tel:24.02.2017%2014>:55, Bernard Fay wrote:
>             > Hi,
>             >
>             > I removed a user from an LDAP group about a week ago.
>         Today, this user
>             > still shows as member of the group with the Linux command
>         groups. Also,
>             > the group (Administrators) appears twice in the output of
>         the command id:
>             > uid=10000(username) gid=10000(Administrators)
>             >
>         groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators)
>             >
> 
>             Can you please let us know about your nss configuration
>             /etc/nsswitch.conf . IMHO it looks ok that the
>         administrators is the
>             primary group and also in the groups enumeration.
> 
>             > The command getent though shows the proper group assignation:
>             > getent group | grep username | cut -d: -f1
>             > users
>             > devel
>             > video
>             > ansible
>             >
>             > All of those groups are LDAP group.
>             >
>             > Does someone knows why and would know how to fix this?
> 
>             you can't find primary groups for a user with your command,
>         grepping
>             throug "getent group" . In modern systems aka sssd it is not
>         a good
>             idea, because enumeration ist by default set to false.
> 
> 
> 
>         ]# grep -Ev "^\#|^$" /etc/nsswitch.conf
>         passwd:     files sss ldap
>         shadow:     files sss ldap
>         group:      files sss ldap
>         hosts:      files dns
>         bootparams: nisplus [NOTFOUND=return] files
>         ethers:     files
>         netmasks:   files
>         networks:   files
>         protocols:  files
>         rpc:        files
>         services:   files sss
>         netgroup:   files sss ldap
>         publickey:  nisplus
>         automount:  files ldap
>         aliases:    files nisplus
> 
> 
>         The user has been removed from the groups Administrators so it
>         should
>         not show.
> 
>         I do not use sssd as our LDAP is not secured so I use nscd. 
>         This LDAP
>         is confined a lab.
> 
>         Thanks,
> 
> 


-- 
Michael Wandel
Braakstraße 43
33647 Bielefeld

Follow-Ups:
- Re: user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Bernard Fay <bernard.fay@gmail.com>

References:
- user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Bernard Fay <bernard.fay@gmail.com>
- Re: user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Michael Wandel <m.wandel@t-online.de>
- Re: user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Bernard Fay <bernard.fay@gmail.com>
- Re: user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Mark Coetser <mark@pkfnet.co.za>
- Re: user removed from ldap group but Linux groups command still shows user as member of the group
  - From: Bernard Fay <bernard.fay@gmail.com>

Prev by Date: Re: user removed from ldap group but Linux groups command still shows user as member of the group
Next by Date: Re: user removed from ldap group but Linux groups command still shows user as member of the group
Index(es):
- Chronological
- Thread