Linux file ACL and secondary groups

access-control-listldaplinux

The Problem:
CentOS does not seem to look at secondary groups when using ACL's on a folder or file

Scenario: CentOS 6 basic install, uses LDAP accounts to authenticate users. I am trying to setup fairly complex permissions on some folders. I have ensured that the file system is mounted with ACL support and determined that LDAP users are able to log in correctly.

Steps to Reproduce:
As a test I have a simple folder structure. The folder test1 is owned by root and has 770 permissions, I have added another group to that folder setfacl -m g:testgroup:rwx test1/ The getfacl output for the folder looks like this:

getfacl: Removing leading '/' from absolute path names
# file: share/test1/
# owner: root
# group: root
user::rwx
group::rwx
group:testgroup:rwx
mask::rwx
other::---

The user andrew belongs to the domain group and testgroup as shown by groups andrew. The group domain is the users primary group. If the user andrew tries to read anything located in test1 a permission denied error was shown. If however the users primary group is changed to testgroup the user can then interact with the contents of the folder.

Can anybody tell me what is going on here and if there is a way to get the expected behaviour?

EDIT This appears to be a problem related to LDAP. I just tested using local user accounts and everything works as expected.

Best Answer

As you say this problem is related to the use of LDAP for user information. Your Centos6 machine is configured in a way that is incompatible with the LDAP server, so that when it tries to get the list of supplementary groups the user belongs to, it doesn't find anything.

Unfortunately there are several standards for how to interpret LDAP attributes relating to POSIX groups - rfc2307, rfc2307bis, IPA

Centos 6 uses SSSD for managing interwork with remote directories and authentication databases. The default settings for SSSD are to use rfc2307.

You will probably find your LDAP server is using rfc2307bis. We have a Centos 5 directory server, it was configured by default for rfc2307bis. As a further complication, our C5 directory was using the attribute 'uniqueMember' instead or 'member' for group members.

To fix it, edit /etc/sssd/sssd.conf and add the following lines:

ldap_schema = rfc2307bis
ldap_group_member = uniqueMember

You might also like to refer to the following:

Related Topic