using libnss-ldap, user can be member of max 16 groups
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnss-ldap (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libnss-ldap
We are running a desktop system on edubuntu Feisty, using libnss-ldap 251-7.5
the user ro2 is member of 19 groups. The id command lists them fine:
uid=2070(ro2) gid=2070(ro2) groups=
3005(xxx)
3013(xxx)
(some group names replaced by xxx for privacy)
the user can enter any folder using where permission is granted for the groups 2070--3014
he can not enter any folder which is resticted for group 3015,3016,3016
If we remove membership of 3001-3004, it then is possbile to access the folder restricted for 3015,3016,3017!
I am not sure if this is a bug in libnss-ldap or in a other package.
If so, please point me there, so I can report the bug on the right place.
I am pretty sure this is a problem in your NFS setup. NFS limits the number of groups transmitted to server to 16 by default. (Some newer implementations extend the protocol to transmit 32 or more group memberships.)
To verify this is an NFS-related issue, try creating a local file (/tmp should usually be a local FS) like this (as root):
echo hello > /tmp/localtest
chown 0.3015 /tmp/localtest
chmod 0640 /tmp/localtest
su - ro2 # i assume this uses pam-ldap
cat /tmp/localtest
exit
if the cat works, this is a non-LDAP problem.
Also, while you're logged in as root, compare the output of
id ro2
with the output of just
id
when logged in as "ro2". The former shows you what nss-ldap returns, the latter what perms pam-ldap actually sets.The sets should be the same. :-)