From owner-freebsd-stable@FreeBSD.ORG Tue Mar 9 00:08:29 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42B61106566B for ; Tue, 9 Mar 2010 00:08:29 +0000 (UTC) (envelope-from peter@simons-rock.edu) Received: from hedwig.simons-rock.edu (hedwig.simons-rock.edu [208.81.88.14]) by mx1.freebsd.org (Postfix) with ESMTP id 09A288FC18 for ; Tue, 9 Mar 2010 00:08:28 +0000 (UTC) Received: from cesium.hyperfine.info (c2.8d.5646.static.theplanet.com [70.86.141.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hedwig.simons-rock.edu (Postfix) with ESMTP id E67992BB343; Mon, 8 Mar 2010 19:08:27 -0500 (EST) Date: Mon, 8 Mar 2010 19:08:26 -0500 From: "Peter C. Lai" To: Ling-hua Tseng Message-ID: <20100309000826.GF4648@cesium.hyperfine.info> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-stable@freebsd.org Subject: Re: Supplementary groups on LDAP cannot work with RELENG_8 + nss_ldap X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 00:08:29 -0000 Unable to reproduce, at least on a brand new 8-R install. Did you make sure you correctly merged /etc/nsswitch.conf during mergemaster? On 2010-03-08 09:07:12PM +0800, Ling-hua Tseng wrote: > Today I upgraded 2 of my 4 machines from RELENG_7 to RELENG_8. > Both of the 2 machines are just LDAP clients. > My LDAP server is still running on RELENG_7, > and the remained one is also a LDAP client. > All of them were installed OpenLDAP-2.4.21 and nss_ldap-1.265_3. > > Before I upgrades my system, everything works properly. > I added a group named `group1' on LDAP server, > and then add a user named `user1' to this group. > I can type `id user1' to see the following line: > uid=3000(user1) gid=3000(user1) groups=3000(user1),10000(gorup1) > > Of course, now the following record is already my LDAP server: > -- > dn: cn=group,ou=group,dc=mydomain,dc=org > objectClass: posixGroup > cn: group1 > gidNumber: 10000 > memberUid: user1 > -- > > After I upgraded these 2 machines from RELENG_7 to RELENG_8, > to type `id user1' could only show the following information: > uid=3000(user1) gid=3000(user1) groups=3000(user1) > This user's supplementary group was gone, > and he couldn't write any group-writable files which had gid 10000 one the 2 machines. > But in my other 2 machines that running on RELENG_7, > this problem is still not occured. > > I have logged the behaviors of RELENG_7 & RELENG_8. > Here is the behavior when I type `id user1' on RELENG_7: > -- > conn=1007 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))" > conn=1007 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass > > conn=1007 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup))" > conn=1007 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > > conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" > conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > > conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" > conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > > conn=1007 op=4 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=10000))" > conn=1007 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > -- > In step 2, it tries to fetch out the full group list from my LDAP server. > According to this information, it can know what user1's supplementary groups are. > > RELENG_8: > -- > conn=1008 op=2 SRCH base="ou=people,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=user1))" > conn=1008 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass > > conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" > conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > > conn=1008 op=3 SRCH base="ou=group,dc=mydomain,dc=org" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=3000))" > conn=1008 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber > -- > It never tried to get the group list from LDAP server, > hence it's impossible to know user1's supplementary groups. > > The client settings on RELENG_7 & RELENG_8 are fully consistent, > so I don't think it's the problem of my config files. > Since my 4 machines use the same version of nss_ldap, > to downgrade nss_ldap's version for testing is meaningless. > > Should this problem is a base system's bug? > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- =========================================================== Peter C. Lai | Bard College at Simon's Rock Systems Administrator | 84 Alford Rd. Information Technology Svcs. | Gt. Barrington, MA 01230 USA peter AT simons-rock.edu | (413) 528-7428 ===========================================================