From owner-freebsd-stable@FreeBSD.ORG Mon Mar 8 13:23:41 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE856106564A for ; Mon, 8 Mar 2010 13:23:40 +0000 (UTC) (envelope-from uranus@tinlans.org) Received: from tinlans.org (tinlans.org [220.133.199.45]) by mx1.freebsd.org (Postfix) with ESMTP id 1BAA88FC12 for ; Mon, 8 Mar 2010 13:23:39 +0000 (UTC) Received: from tinlans.org (localhost [127.0.0.1]) by tinlans.org (Postfix) with ESMTP id B251DCF042 for ; Mon, 8 Mar 2010 21:08:22 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tinlans.org; h= x-mailer:content-type:content-type:mime-version:date:date :subject:subject:from:from:message-id:received:received; s= tinlans; t=1268053702; bh=vEaOtbW6nHKS1hfJZVdel7iet4n/D2M4JjQgKG E9Hxc=; b=p7RYvh4xasS9qofRnLqWgg0HYbmoRSlHdoni3U6UWpAgNEnFhylBnk BSVw4p89dqfsjlMHvxPZcE7SWunhr/Ig== X-Virus-Scanned: amavisd-new at tinlans.org Received: from tinlans.org ([127.0.0.1]) by tinlans.org (tinlans.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qT5ZdNne7uAp for ; Mon, 8 Mar 2010 21:08:22 +0800 (CST) Received: from TinlansPC (TinlansPC [192.168.1.2]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by tinlans.org (Postfix) with ESMTPSA id 7CA59CF040 for ; Mon, 8 Mar 2010 21:08:22 +0800 (CST) Message-ID: From: "Ling-hua Tseng" To: Date: Mon, 8 Mar 2010 21:07:12 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8089.726 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Supplementary groups on LDAP cannot work with RELENG_8 + nss_ldap X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2010 13:23:41 -0000 Today I upgraded 2 of my 4 machines from RELENG_7 to RELENG_8. Both of the 2 machines are just LDAP clients. My LDAP server is still running on RELENG_7, and the remained one is also a LDAP client. All of them were installed OpenLDAP-2.4.21 and nss_ldap-1.265_3. Before I upgrades my system, everything works properly. I added a group named `group1' on LDAP server, and then add a user named `user1' to this group. I can type `id user1' to see the following line: uid=3D3000(user1) gid=3D3000(user1) groups=3D3000(user1),10000(gorup1) Of course, now the following record is already my LDAP server: -- dn: cn=3Dgroup,ou=3Dgroup,dc=3Dmydomain,dc=3Dorg objectClass: posixGroup cn: group1 gidNumber: 10000 memberUid: user1 -- After I upgraded these 2 machines from RELENG_7 to RELENG_8, to type `id user1' could only show the following information: uid=3D3000(user1) gid=3D3000(user1) groups=3D3000(user1) This user's supplementary group was gone, and he couldn't write any group-writable files which had gid 10000 one = the 2 machines. But in my other 2 machines that running on RELENG_7, this problem is still not occured. I have logged the behaviors of RELENG_7 & RELENG_8. Here is the behavior when I type `id user1' on RELENG_7: -- conn=3D1007 op=3D2 SRCH base=3D"ou=3Dpeople,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixAccount)(uid=3Duser1))" conn=3D1007 op=3D2 SRCH attr=3Duid userPassword uidNumber gidNumber cn = homeDirectory loginShell gecos description objectClass shadowLastChange = shadowMax shadowExpire loginClass conn=3D1007 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 filter=3D"(&(objectClass=3DposixGroup))" conn=3D1007 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1007 op=3D4 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D10000))" conn=3D1007 op=3D4 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber -- In step 2, it tries to fetch out the full group list from my LDAP = server. According to this information, it can know what user1's supplementary = groups are. RELENG_8: -- conn=3D1008 op=3D2 SRCH base=3D"ou=3Dpeople,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixAccount)(uid=3Duser1))" conn=3D1008 op=3D2 SRCH attr=3Duid userPassword uidNumber gidNumber cn = homeDirectory loginShell gecos description objectClass shadowLastChange = shadowMax shadowExpire loginClass conn=3D1008 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1008 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber conn=3D1008 op=3D3 SRCH base=3D"ou=3Dgroup,dc=3Dmydomain,dc=3Dorg" = scope=3D1 deref=3D0 = filter=3D"(&(objectClass=3DposixGroup)(gidNumber=3D3000))" conn=3D1008 op=3D3 SRCH attr=3Dcn userPassword memberUid uniqueMember = gidNumber -- It never tried to get the group list from LDAP server, hence it's impossible to know user1's supplementary groups. The client settings on RELENG_7 & RELENG_8 are fully consistent, so I don't think it's the problem of my config files. Since my 4 machines use the same version of nss_ldap, to downgrade nss_ldap's version for testing is meaningless. Should this problem is a base system's bug?