https://www.redhat.com/archives/freeipa-users/2016-January/msg00242.html
>>>> This is an old thread, but I can confirm that this is still an issue on >>>> RHEL 7.2 + 4.2. This creates problems when there are roles associated >>>> with groups, but group membership through GID is broken. I had migrated >>>> all old NIS accounts into ipa. I then added the host enrollment role to >>>> a particular group. Now, unless I add the users to the group explicitly, >>>> they won't get the role, even if their gid is the same as the gid of the >>>> group. >>> >>> The user GIDNumber just sets the default group for POSIX. If you do >>> groups on the user I'll bet it shows correctly. >>> >>> For the purposes of IPA access control, as you've seen, the user must >>> have a memberOf for a given group, either directly or indirectly. >>> >>> rob >>> >> >> Exactly, but the question is, shouldn't IPA add this membership automatically? >> (Of course, only in case IPA has group with this GID.) > > IMHO we should. Currently, the user effectively has different group membership > on POSIX systems and non-POSIX systems which read only member attribute. I > think that this is surprising and inconsistent. Seems like next step is to open the RFE. I wouldn't characterize it as POSIX vs non-POSIX as that could confuse things. It is just that if the user doesn't have a UPG then they probably don't have a memberOf for their GID group.
Devel meeting result:
print warning in ipa user-show that gidnumber doesn't match any group the user is member of, do it only if members are requested (future 4.4 optimization)
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.