From owner-freebsd-stable@FreeBSD.ORG  Tue Mar  9 00:08:29 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 42B61106566B
	for <freebsd-stable@freebsd.org>; Tue,  9 Mar 2010 00:08:29 +0000 (UTC)
	(envelope-from peter@simons-rock.edu)
Received: from hedwig.simons-rock.edu (hedwig.simons-rock.edu [208.81.88.14])
	by mx1.freebsd.org (Postfix) with ESMTP id 09A288FC18
	for <freebsd-stable@freebsd.org>; Tue,  9 Mar 2010 00:08:28 +0000 (UTC)
Received: from cesium.hyperfine.info (c2.8d.5646.static.theplanet.com
	[70.86.141.194])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hedwig.simons-rock.edu (Postfix) with ESMTP id E67992BB343;
	Mon,  8 Mar 2010 19:08:27 -0500 (EST)
Date: Mon, 8 Mar 2010 19:08:26 -0500
From: "Peter C. Lai" <peter@simons-rock.edu>
To: Ling-hua Tseng <uranus@tinlans.org>
Message-ID: <20100309000826.GF4648@cesium.hyperfine.info>
References: <F3B6FDBA2D4E44E49C4DFC8CA2F3A182@TinlansPC>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F3B6FDBA2D4E44E49C4DFC8CA2F3A182@TinlansPC>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: freebsd-stable@freebsd.org
Subject: Re: Supplementary groups on LDAP cannot work with RELENG_8 +
	nss_ldap
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2010 00:08:29 -0000

Unable to reproduce, at least on a brand new 8-R install.
Did you make sure you correctly merged /etc/nsswitch.conf during mergemaster?

On 2010-03-08 09:07:12PM +0800, Ling-hua Tseng wrote:
> Today I upgraded 2 of my 4 machines from RELENG_7 to RELENG_8.
> Both of the 2 machines are just LDAP clients.
> My LDAP server is still running on RELENG_7,
> and the remained one is also a LDAP client.
> All of them were installed OpenLDAP-2.4.21 and nss_ldap-1.265_3.
> 
> Before I upgrades my system, everything works properly.
> I added a group named `group1' on LDAP server,
> and then add a user named `user1' to this group.
> I can type `id user1' to see the following line:
>   uid=3000(user1) gid=3000(user1) groups=3000(user1),10000(gorup1)
> 
> Of course, now the following record is already my LDAP server:
> --
> dn: cn=group,ou=group,dc=mydomain,dc=org
> objectClass: posixGroup
> cn: group1
> gidNumber: 10000
> memberUid: user1
> --
> 
> After I upgraded these 2 machines from RELENG_7 to RELENG_8,
> to type `id user1' could only show the following information:
>   uid=3000(user1) gid=3000(user1) groups=3000(user1)
> This user's supplementary group was gone,
> and he couldn't write any group-writable files which had gid 10000 one the 2 machines.
> But in my other 2 machines that running on RELENG_7,
> this problem is still not occured.
> 
> I have logged the behaviors of RELENG_7 & RELENG_8.
> Here is the behavior when I type `id user1' on RELENG_7:
> --
> conn=1007 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))"
> conn=1007 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
> 
> conn=1007 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup))"
> conn=1007 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> 
> conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))"
> conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> 
> conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))"
> conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> 
> conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=10000))"
> conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> --
> In step 2, it tries to fetch out the full group list from my LDAP server.
> According to this information, it can know what user1's supplementary groups are.
> 
> RELENG_8:
> --
> conn=1008 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))"
> conn=1008 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
> 
> conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))"
> conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> 
> conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))"
> conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
> --
> It never tried to get the group list from LDAP server,
> hence it's impossible to know user1's supplementary groups.
> 
> The client settings on RELENG_7 & RELENG_8 are fully consistent,
> so I don't think it's the problem of my config files.
> Since my 4 machines use the same version of nss_ldap,
> to downgrade nss_ldap's version for testing is meaningless.
> 
> Should this problem is a base system's bug?
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

-- 
===========================================================
Peter C. Lai                 | Bard College at Simon's Rock
Systems Administrator        | 84 Alford Rd.
Information Technology Svcs. | Gt. Barrington, MA 01230 USA
peter AT simons-rock.edu     | (413) 528-7428
===========================================================