• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS/RHEL: “id” command doesn’t list the Group Name against GID for LDAP Users

by admin

The Problem

While running “id” command against LDAP users, it only displays the gid for some secondary group and the group name is not being printed:

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971

And, the below error was logged in /var/log/sssd/sssd_nss.log :

(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

The Solution

The new group was added with same GID as the one of the existing one.

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971(group6)

# getent group group5
group5:*:56971:

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4)

The same ID is mapped to 2 groups, group5 and group6. So when we do id once we get a correct result for the user (all the users groups are shown). Then we run getent group for the other group:

# getent group group5

But after that, it seems the group is dropped from the id results.

SSSD has a hard restriction in the SysDB that only one group can exist with a particular ID. When a group is renamed on the server, it becomes an order-of-operations issue whether or not we handle it correctly. We don’t support multiple entries with the same GID and that doing so will result in unexpected behavior.

So the below error was logged in /var/log/sssd/sssd_nss.log :

(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

Thus, once you correct the entry in LDAP server, the sssd should be able to pick it up again correctly. If it doesn’t then wait for 300 secs as the default time for that cache to flush itself is 300 seconds (i.e. five minutes). Also you can use below command to flush sssd cache with suitable options as per the requirement:

The -E flag can be used to invalidate all cached entries. Exception is sudo rules.

# sss_cache -E

You can also invalidate a specific user only from the cache with the -u flag, followed by the username.

# sss_cache -u user1

Also, you can delete the sss_cache file from within the /var/lib/sss/db/ directory.

# service sssd stop
# rm -rf /var/lib/sss/db/*
# service sssd start

Filed Under: CentOS/RHEL, CentOS/RHEL 6, CentOS/RHEL 7

Some more articles you might also be interested in …

  1. Input/Output Errors During XFS Filesystem Access In CentOS/RHEL 7
  2. How to Configure Password Expiration and Complexity Requirements in CentOS/RHEL
  3. How to Configure Automatic Package Updates on the Server in CentOS/RHEL 8
  4. “VFS: Cannot open root device “UUID=[UUID]” or unknown-block(0,0)” – Booting issue CentOS/RHEL/OEL 6
  5. Downloading RPM Packages with dependencies [ yumdownloader Vs yum-downloadonly Vs repoquery]
  6. How to Configure GNOME Console Login Banner in CentOS/RHEL 7 and 8
  7. How to Use Iperf to Test Network Performance in Linux
  8. How to Remove a Dead Mulitpath Device without Reboot in CentOS/RHEL
  9. How to add Source, Services and Ports to Firewall Zone in CentOS/RHEL 7 and 8
  10. How to configure CentOS/RHEL 6 system to not used last 3 passwords used

You May Also Like

Primary Sidebar

Recent Posts

  • vgextend Command Examples in Linux
  • setpci command – configure PCI device
  • db_load command – generate db database
  • bsdtar command – Read and write tape archive files

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright