Closed aklyachkin closed 1 year ago
millert
commented
2 years ago Based on https://www.ibm.com/docs/en/aix/7.2?topic=s-setauthdb-setauthdb-r-subroutine, I would expect local groups to be found even when the authdb is set to LDAP if domainlessgroups=yes. What is the value of SYSTEM in your /etc/security/user file?
millert
commented
2 years ago Also, in your test program can you try using IDtogroup() to convert the group ID to a group name and if that succeeds, try to look it up with getgrnam()?
aklyachkin
commented
2 years ago Hello Todd,
thank you for your suggestion. This is the new code of my test:
#include <usersec.h>
#include <errno.h>
#include <stdio.h>
#include <grp.h>
#define LDAPGRP 40032
#define LOCALGRP 600
void test_getgrgid(gid_t gid) {
struct group *gr;
gr = getgrgid(gid);
if (gr == NULL) {
printf("getgrgid() failed to find the group\n");
} else {
printf("getgrid(): Group name = %s, GID = %d\n", gr->gr_name, gr->gr_gid);
}
}
void test_id2grp(gid_t gid) {
char *gname;
struct group *gr;
gname = IDtogroup(gid);
if (gname == NULL) {
printf("IDtogroup() failed to find the group\n");
} else {
gr = getgrnam(gname);
if (gr == NULL) {
printf("IDtogroup() succeeds, but not getgrnam(). Group name = %s\n", gname);
} else {
printf("IDtogroup()&getgrnam(): Group name = %s, GID = %d\n", gr->gr_name, gr->gr_gid);
}
}
}
int main(int argc, char *argv[]) {
int rc;
struct group *gr;
printf("Trying to find groups without setauthdb()\n");
printf("Searching for LDAP group with GID %d\n", LDAPGRP);
test_getgrgid(LDAPGRP);
test_id2grp(LDAPGRP);
printf("Searching for local group with GID %d\n", LOCALGRP);
test_getgrgid(LOCALGRP);
test_id2grp(LOCALGRP);
printf("Trying to find groups with setauthdb()\n");
rc = setauthdb("LDAP", NULL);
if (rc != 0) {
printf("setauthdb RC = %d\n", rc);
return 1;
}
printf("Searching for LDAP group with GID %d\n", LDAPGRP);
test_getgrgid(LDAPGRP);
test_id2grp(LDAPGRP);
printf("Searching for local group with GID %d\n", LOCALGRP);
test_getgrgid(LOCALGRP);
test_id2grp(LOCALGRP);
return 0;
}Here is the output of the test:
Trying to find groups without setauthdb()
Searching for LDAP group with GID 40032
getgrid(): Group name = DB2LUWADM_T, GID = 40032
IDtogroup()&getgrnam(): Group name = DB2LUWADM_T, GID = 40032
Searching for local group with GID 600
getgrid(): Group name = dbexpert, GID = 600
IDtogroup()&getgrnam(): Group name = dbexpert, GID = 600
Trying to find groups with setauthdb()
Searching for LDAP group with GID 40032
getgrid(): Group name = DB2LUWADM_T, GID = 40032
IDtogroup()&getgrnam(): Group name = DB2LUWADM_T, GID = 40032
Searching for local group with GID 600
getgrgid() failed to find the group
IDtogroup() succeeds, but not getgrnam(). Group name = dbexpertLooks like IDtogroup() works better in this case, but not getgrnam()/getgrgid().
The default registry is LDAP and SYSTEM is "LDAP OR KRB5files" on the system.
millert
commented
2 years ago Would you mind testing whether getgroupattr() is able to find the group?
aklyachkin
commented
2 years ago Todd,
I added test for getgroupattr(), but it fails the same way as getgrnam() - with ENOENT.
millert
commented
2 years ago Thanks for trying. The AIX documentation says that if setauthdb() is used to set domain to LDAP or files and the domainlessgroups attribute is set to true in the /etc/secvars.cfg then group lookups should be performed on both LDAP and files. That's clearly not happening though which makes me think this is an AIX bug.
aklyachkin
commented
2 years ago Thank you Todd. I opened a case at IBM, let's see what they say.
aklyachkin
commented
1 year ago Short summary:
Thank you for your help!
If a user comes from LDAP, but belongs to a local group (domainlessgroups=yes in /etc/secvars.cfg), sudo doesn't find the local group.
See https://community.ibm.com/community/user/power/discussion/sudo-users-from-ldap-with-local-groups?ReturnUrl=%2fcommunity%2fuser%2fpower%2fcommunities%2fcommunity-home%2fdigestviewer%3fcommunitykey%3d10c1d831-47ee-4d92-a138-b03f7896f7c9