Description of problem: If a user is added to a group by editing /etc/group and /etc/gshadow the system does not correctly accept this. If groups {login} is run afterwards it still shows the groups before the edit. This is especially a problem if a user is added to a samba group references in /etc/samba/shares.conf. Such a user can not access the share although he/she is correctly shown in /etc/group and /etc/gshadow. If a grpck command is run then the group change is correctly shown and samba access is possible. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. vigr # add user UserX to group GroupY 2. group UserX # does not show list GroupY 3. grpck 4. group UserX # GroupY is correctly shown Actual results: Expected results: Additional info:
If the command groupmod is used the groups are updated correctly. There is no written evidence though that editing the group file is not sufficient. It is especially difficult to track samba access problems down if the files and even system-config-user shows the groups correctly. The problem does not exist on Red Hat Enterprise Linux WS release 3 (Taroon Update 9) nor on Red Hat Enterprise Linux WS release 4 (Nahant Update 3).
Thanks for report, however, thats expected and not a bug. Following information was added into groups info documentation by http://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=167b8025aca487de001da2448c1aebc2747bc1d3: "Primary and supplementary groups for a process are normally inherited from its parent and are usually unchanged since login. This means that if you change the group database after logging in, `groups' will not reflect your changes within your existing login session. Running `groups' with a list of users causes the user and group database to be consulted afresh, and so will give a different result." So maybe just documentation should be tweaked a bit.
However - that part about RHEL-3/4 is interesting ... as in RHEL-5 groups is just shell script above id command, I'll check a bit what changed there... However the comment with information that changes within existing login session are not reflected without refreshed user/group database is valid.
I understand the effect on the current login session. The real problem is that samba access does not work properly as before. Example: A user asks me for a share access on a server. I add the user to /etc/passwd, shadow, group and gshadow (with a custom script I have for that). I also add the user to a group shareXusers. In /etc/samba/shares.conf share access is referenced like "write list = @shareXusers" The I ask the user to test access. Before the latest update on RHel5 this was no problem and it still is no problem on RHel3, RHel4 and Ubuntu. Since the latest update of RHel5 about 4 weeks ago the share access is denied until I issue a grpck or a similar command.
So RHEL-5.3/4 had no such problem and it occured after update to RHEL-5.5? Strange - there was no such change in RHEL-5.5 coreutils (no coreutils update in fact) - last coreutils update was 5.4 - and no change related to id or groups was included. As all those utilities depends on systemcalls, maybe some change in kernel was done. I don't know - if you have some machine with working RHEL-5 and not working RHEL-5, could you please check the change in `strace id -Gn <user>`? Additionally - please contact www.redhat.com/support if you want to have more investigation of the issue - RH bugzilla is just bugtracker, not support tool. They may have more time to investigate the issue and probably search for the culprit of the change in behaviour.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1074.html