LDAP groups not applying to filesystem permissions

Posted by BeepDog on Server Fault See other posts from Server Fault or by BeepDog
Published on 2013-10-22T15:32:02Z Indexed on 2013/10/22 15:56 UTC
Read the original article Hit count: 245

Filed under:
|

System is ArchLinux, and I'm using nss-pam-ldapd (0.8.13-4) to connect myself to ldap.

I've got my users and some groups in LDAP:

[root@kain tmp]# getent group
<localgroups snipped>
dkowis:*:10000:
mp3s:*:15000:rkowis,dkowis
music:*:15002:rkowis,dkowis
video:*:15003:transmission,rkowis,dkowis,sickbeard
software:*:15004:rkowis,dkowis
pictures:*:15005:rkowis,dkowis
budget:*:15006:rkowis,dkowis
rkowis:*:10001:

And I have some directories that are setgid video so that the video group stays, and they're configured g=rwx so that members of the video group can write to them:

[root@kain video]# ls -ld /srv/video
drwxrwxr-x 8 root video 208 Oct 19 20:49 /srv/video

However, members of that group, say dkowis cannot write into that directory:

[root@kain video]# groups dkowis
mp3s music video software pictures dkowis

Total number of groups that dkowis is in is like 7, I redacted a few here.

[dkowis@kain wat]$ cd /srv/video
[dkowis@kain video]$ touch something
touch: cannot touch 'something': Permission denied

[dkowis@kain video]$ groups
dkowis mp3s music video software pictures

I'm at a loss as to why my groups show up in getent groups, but my filesystem permissions are not being respected. I've tried making a new directory in /tmp and setting it's group permissions to rwx, and then trying to write a file in there, it doesn't work. The only time it does work is if I open it wide up allowing o=rwx. That's obviously not what I want, and I'm not able to figure out what my missing piece is.

Thanks in advance.

© Server Fault or respective owner

Related posts about ldap

Related posts about pam