getent group returns empty group list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-02-13 at 16:58 -0500, John A. Sullivan III wrote:
> On Sat, 2010-02-13 at 12:11 -0800, Morris, Patrick wrote:
> > John A. Sullivan III wrote:
> > > Hello, all.  I'm having a miserable time getting CUPS to work with
> > > Directory Server for group authentication.  I think it is more
> > > fundamental than CUPS.  When I do getent group <groupname> to a local
> > > group, the result is populated with members.  However, if I do it for an
> > > LDAP group, the group is returned but with no members.  What would cause
> > > such behavior? Do I need something other than default NSS mappings?
> > >
> > > I am running CentOS Directory Server 8.1 on CentOS 5.4.  The client is
> > > running Debian Lenny.  Thanks - John
> > >   
> > 
> > The most likely reason is that how your system expects the groups to be 
> > set up (i.e, a list of usernames vs. a list of DNs, the objectClass to 
> > consider a Unix a group, etc.) does not match what your data actually 
> > looks like.
> > 
> > Without any data about how you've got things configured on the client 
> > and in the LDAp database, though, it's pretty hard to say where that 
> > disconnect might be.
> <snip>
> Any pointers to where to look, normal configurations, documents to read?
> We are a secure multi-tenant environment so various groups are in
> various portions of the tree.  This print server needs to service all
> clients and this is able to search from the root of the tree.  Thanks -
> John
<snip>
At long last I think I see it.  FDS has create groups with object class
groupofuniquenames to which we have added an objectclass of posixgroup
but it is only populated with uniquemember and not memberuid.  It looks
like I have two options:

1) Define nss_map_objectclass posixgroup groupofuniquenames:
This works for getent group but seems to make id hang.  I think this
also creates a problem in that the user groups, i.e., the posixgroup
created for each uid, will not be mapped.

2) Define all the memberuids in each group:
This means an extra administrative step (is there anyway to automate
this from the uniquemembers attribute?) and exposure to human error.

My guess is that option 2 is the correct way to go.  Is that true?
Thanks - John



[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux