Directory users disappearing from local groups

[francisaugusto]

Hi,

I add some directory users to local groups, but after a while they disappear from those groups - ie, when I check `id user`, only the directory groups are listed.

Should it be like this, or something wrong is happening?

 

[Kris Moore]

Try "Directory Services -> Settings -> Rebuild Directory Service Cache", does that bring them back?

 

[anodos]

You can't add directory services users to local groups.

 

[francisaugusto]

You can't add directory services users to local groups.

That's a pity. Usually on other ldap-bound machines, this works pretty ok.

 

[francisaugusto]

Try "Directory Services -> Settings -> Rebuild Directory Service Cache", does that bring them back?

Not really, no... :(

 

[anodos]

That's a pity. Usually on other ldap-bound machines, this works pretty ok.

Okay. This needs a point of clarification. Are you talking about creating a local group on the server and then making the directory services group a member of that group? If so, not supported.

If you're talking about having a directory services group be available for use on server, this is possible. It 100% depends on proper mappings being set up in your LDAP configuration. If things are set up correctly, then `getent group` should show your local users. The dropdowns in the webui depend on a cache that we build up. If for some reason it's not building (the cache), you should still be able to just manually type the group name into the permissions manager and use it.

If you think the LDAP cache isn't being built correctly, you can PM me the middlewared log and I'll see if there is a bug in it.

 

[francisaugusto]

Okay. This needs a point of clarification. Are you talking about creating a local group on the server and then making the directory services group a member of that group? If so, not supported.

If you're talking about having a directory services group be available for use on server, this is possible. It 100% depends on proper mappings being set up in your LDAP configuration. If things are set up correctly, then `getent group` should show your local users. The dropdowns in the webui depend on a cache that we build up. If for some reason it's not building (the cache), you should still be able to just manually type the group name into the permissions manager and use it.

If you think the LDAP cache isn't being built correctly, you can PM me the middlewared log and I'll see if there is a bug in it.

What I mean is to add a domain user to a local group. I added user francis - which is a domain user - to a "media" local group. It works, but when I login again, all memberships to a local group of those directory users disappear.

`Getent group` shows both local and domain groups.

 

[anodos]

What I mean is to add a domain user to a local group. I added user francis - which is a domain user - to a "media" local group. It works, but when I login again, all memberships to a local group of those directory users disappear.

`Getent group` shows both local and domain groups.

How are you achieving this (adding domain user to local group)? BTW, NFSv4 ACLs support something like 128 entries. You can always create an LDAP group for media access and simply grant it access to your media files.

 

[francisaugusto]

How are you achieving this (adding domain user to local group)? BTW, NFSv4 ACLs support something like 128 entries. You can always create an LDAP group for media access and simply grant it access to your media files.

I did `usermod -aG localgroup user`
I dunno if this is related to the fact that my membership to domain groups aren't being shown, except for the primary groups.

 

[anodos]

I did `usermod -aG localgroup user`
I dunno if this is related to the fact that my membership to domain groups aren't being shown, except for the primary groups.

That might be a more fundamental problem for you to investigate. Maybe make sure your LDAP schema mode is correctly set.