LDAP groups not applying to filesystem permissions

Question

System is ArchLinux, and I'm using nss-pam-ldapd (0.8.13-4) to connect myself to ldap.

Relevant configuration files:

I've got my users and some groups in LDAP:

[root@kain tmp]# getent group
<localgroups snipped>
dkowis:*:10000:
mp3s:*:15000:rkowis,dkowis
music:*:15002:rkowis,dkowis
video:*:15003:transmission,rkowis,dkowis,sickbeard
software:*:15004:rkowis,dkowis
pictures:*:15005:rkowis,dkowis
budget:*:15006:rkowis,dkowis
rkowis:*:10001:

And I have some directories that are setgid video so that the video group stays, and they're configured g=rwx so that members of the video group can write to them:

[root@kain video]# ls -ld /srv/video
drwxrwxr-x 8 root video 208 Oct 19 20:49 /srv/video

However, members of that group, say dkowis cannot write into that directory:

[root@kain video]# groups dkowis
mp3s music video software pictures dkowis

Total number of groups that dkowis is in is like 7, I redacted a few here.

[dkowis@kain wat]$ cd /srv/video
[dkowis@kain video]$ touch something
touch: cannot touch 'something': Permission denied

[dkowis@kain video]$ groups
dkowis mp3s music video software pictures

I'm at a loss as to why my groups show up in getent groups, but my filesystem permissions are not being respected. I've tried making a new directory in /tmp and setting it's group permissions to rwx, and then trying to write a file in there, it doesn't work. The only time it does work is if I open it wide up allowing o=rwx. That's obviously not what I want, and I'm not able to figure out what my missing piece is.

Thanks in advance.

EDIT: stopping nscd had no effect either. It doesn't appear to be a caching problem.

EDIT: a bit of expirementing:

Locally defined groups work just fine, this seem to only affect LDAP groups, added to /etc/group:

test:x:15007:dkowis
mkdir /tmp/wat
chgrp test /tmp/wat
chmod g+rws /tmp/wat
su - dkowis
cd /tmp/wat
touch something
[dkowis@kain wat]$ ls -la
total 0
drwxrwsr-x 2 root   test  60 Oct 22 11:26 .
drwxrwxrwt 8 root   root 160 Oct 22 11:26 ..
-rw-r--r-- 1 dkowis test   0 Oct 22 11:26 something

This is Arch Linux, and I'm using nss-pam-ldapd, as specified. — BeepDog, Oct 22 '13 at 15:51
what is in /etc/nslcd.conf? and also when you are trying to touch that file in the folder what secure.log/auth.log shows? — Danila Ladner, Oct 22 '13 at 15:58
Nothing shows up in /var/log/secure, /etc/nslcd.conf: https://gist.github.com/dkowis/7103471 — BeepDog, Oct 22 '13 at 16:09
Yeah, I was just about to add that, heh. https://gist.github.com/dkowis/7104646 And I'll put it in the question proper. — BeepDog, Oct 22 '13 at 17:27
Dunno, can you try to set the user and group cache time to something low in /etc/nscd.conf. — Danila Ladner, Oct 22 '13 at 17:40
let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/11161/discussion-between-beepdog-and-danila-ladner) — BeepDog, Oct 22 '13 at 17:43

score 4 · Accepted Answer · answered Oct 22 '13 at 18:09

4

You're running into a namespace collision.

By default /etc/nsswitch.conf is configured to look first at files then at external sources.
group: files ldap.

This means that the video group from /etc/group will match before the video group in ldap. This can be seen by running getent group video.

answered Oct 22 '13 at 18:09

84104

12,698
6
43
75

in my case, when i was using chmod it was using the group with the lowest id, which wasnt matching the groupid in ldap – Pykler Mar 02 '15 at 19:32

LDAP groups not applying to filesystem permissions

1 Answers1