Bug 88869 - ldap users can't use secondary groups
ldap users can't use secondary groups
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
8.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-04-15 00:02 EDT by rmhristev
Modified: 2016-11-24 10:24 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-22 17:21:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description rmhristev 2003-04-15 00:02:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
The secondary group membership appears to be broken for LDAP users

Consider a directory with ownership X, group-ownership B and mode 0750

An LDAP user Y with primary group A and secondary group B membership
cannot change to the above directory.

Other simptoms: "id" by itself shows only the primary group A
while "id usercode" shows the correct output (groups A & B).


Version-Release number of selected component (if applicable):
glibc-2.3.2-4.80

How reproducible:
Always

Steps to Reproduce:
1. use an LDAP account
2. try "id" and "id <usercode>"
3. try to change to dirs with mode 0750 and group ownership other than your
primary group membership.
    

Actual Results:  The user can't access directories based on secondary group
membership.

Expected Results:  The user should be able to access the directory and "id"
should show all groups.

Additional info:

I'm not sure if this is a glibc bug but the "id" does not work correctly
and it is linked only with glibc.

(I'm putting this at "high" severity because I do consider that it makes 
LDAP based authentication almost useless)
Comment 1 Gordon Messmer 2003-04-21 12:18:30 EDT
Your description of the problem, especially that "id usercode" gives the correct
results, sounds like you created a secondary group for the user, but did not
either log in afterward to verify the result, or run "newgrp".

Create a secondary group, and either log in afterward or run "newgrp" to see if
the problem still exists.
Comment 2 rmhristev 2003-04-22 17:21:52 EDT
Sorry :-( :-( the problem was due to LDAP server misconfiguration.

Note You need to log in before you can comment on or make changes to this bug.