The Geek Diary

CONCEPTS | BASICS | HOWTO

CentOS/RHEL: “id” command doesn’t list the Group Name against GID for LDAP Users

By

The Problem

While running “id” command against LDAP users, it only displays the gid for some secondary group and the group name is not being printed:

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971

And, the below error was logged in /var/log/sssd/sssd_nss.log :

(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

The Solution

The new group was added with same GID as the one of the existing one.

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4),56971(group6)

# getent group group5
group5:*:56971:

# id user1
uid=48254(user1) gid=100(users) groups=100(users),5002(group1),5001(group2),41257(group3),856(group4)

The same ID is mapped to 2 groups, group5 and group6. So when we do id once we get a correct result for the user (all the users groups are shown). Then we run getent group for the other group:

# getent group group5

But after that, it seems the group is dropped from the id results.

SSSD has a hard restriction in the SysDB that only one group can exist with a particular ID. When a group is renamed on the server, it becomes an order-of-operations issue whether or not we handle it correctly. We don’t support multiple entries with the same GID and that doing so will result in unexpected behavior.

So the below error was logged in /var/log/sssd/sssd_nss.log :

(Tue Mar 14 05:40:09 2020) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0010): getgrgid call returned more than one result !?!

Thus, once you correct the entry in LDAP server, the sssd should be able to pick it up again correctly. If it doesn’t then wait for 300 secs as the default time for that cache to flush itself is 300 seconds (i.e. five minutes). Also you can use below command to flush sssd cache with suitable options as per the requirement:

The -E flag can be used to invalidate all cached entries. Exception is sudo rules.

# sss_cache -E

You can also invalidate a specific user only from the cache with the -u flag, followed by the username.

# sss_cache -u user1

Also, you can delete the sss_cache file from within the /var/lib/sss/db/ directory.

# service sssd stop
# rm -rf /var/lib/sss/db/*
# service sssd start

You May Also Like