5

I have a Debian 10 machine which uses PAM LDAP for authentication. In LDAP I have two users alice and bob which are both members of group mygroup. Everything has worked fine (so the configuration shouldn't be too far off) until I recently discovered some weirdness with my groups (not sure what happened):

  • ldapsearch reports user alice as a member of group mygroup (as it should).
  • getent group shows user alice as a member of group mygroup (as it should). 
    root@tux:~# getent group | grep mygroup
mygroup:*:1210:alice,bob
  • id does not report alice to be a member of group mygroup: 
    root@tux:~# id alice
uid=1200(alice) gid=1200(alice) groups=1200(alice)
  • Surprisingly enough user bob is reported to be a member of mygroup: 
    root@tux:~# id bob
uid=1201(bob) gid=1201(bob) groups=1210(mygroup),1201(bob)

So far I thought that both getent and id are getting their information from the Name Service Switch library (NSS). I'm confused and hoping for some hints how to troubleshoot.

Improve this question
0

1 Answer 1

Reset to default
1

With some implementations of LDAP it's necessary not only to define the members of a group but also to define the groups of which a user is a member. (One isn't implied by the other - both relationships have to be stated explicitly.)

Look at the LDAP records for alice and bob, do they show group memberships? If so, check that alice and bob are indeed both members of mygroup.

Similarly, look at mygroup, and confirm that alice and bob are both members of it.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.