Ping a Specific Port

Question

BeepDog

Asked: 2013-10-23 07:32:02 +0800 CST2013-10-23 07:32:02 +0800 CST 2013-10-23 07:32:02 +0800 CST

LDAP groups not applying to filesystem permissions

772

System is ArchLinux, and I'm using nss-pam-ldapd (0.8.13-4) to connect myself to ldap.

Relevant configuration files:

I've got my users and some groups in LDAP:

[root@kain tmp]# getent group
<localgroups snipped>
dkowis:*:10000:
mp3s:*:15000:rkowis,dkowis
music:*:15002:rkowis,dkowis
video:*:15003:transmission,rkowis,dkowis,sickbeard
software:*:15004:rkowis,dkowis
pictures:*:15005:rkowis,dkowis
budget:*:15006:rkowis,dkowis
rkowis:*:10001:

And I have some directories that are setgid video so that the video group stays, and they're configured g=rwx so that members of the video group can write to them:

[root@kain video]# ls -ld /srv/video
drwxrwxr-x 8 root video 208 Oct 19 20:49 /srv/video

However, members of that group, say dkowis cannot write into that directory:

[root@kain video]# groups dkowis
mp3s music video software pictures dkowis

Total number of groups that dkowis is in is like 7, I redacted a few here.

[dkowis@kain wat]$ cd /srv/video
[dkowis@kain video]$ touch something
touch: cannot touch 'something': Permission denied

[dkowis@kain video]$ groups
dkowis mp3s music video software pictures

I'm at a loss as to why my groups show up in getent groups, but my filesystem permissions are not being respected. I've tried making a new directory in /tmp and setting it's group permissions to rwx, and then trying to write a file in there, it doesn't work. The only time it does work is if I open it wide up allowing o=rwx. That's obviously not what I want, and I'm not able to figure out what my missing piece is.

Thanks in advance.

EDIT: stopping nscd had no effect either. It doesn't appear to be a caching problem.

EDIT: a bit of expirementing:

Locally defined groups work just fine, this seem to only affect LDAP groups, added to /etc/group:

test:x:15007:dkowis
mkdir /tmp/wat
chgrp test /tmp/wat
chmod g+rws /tmp/wat
su - dkowis
cd /tmp/wat
touch something
[dkowis@kain wat]$ ls -la
total 0
drwxrwsr-x 2 root   test  60 Oct 22 11:26 .
drwxrwxrwt 8 root   root 160 Oct 22 11:26 ..
-rw-r--r-- 1 dkowis test   0 Oct 22 11:26 something

1 Answers

Voted

84104 · Answer 1 · 2013-10-23T10:09:56+08:00

Best Answer

84104

2013-10-23T10:09:56+08:002013-10-23T10:09:56+08:00

You're running into a namespace collision.

By default /etc/nsswitch.conf is configured to look first at files then at external sources.
group: files ldap.

This means that the video group from /etc/group will match before the video group in ldap. This can be seen by running getent group video.

4

LDAP groups not applying to filesystem permissions

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?