I have several linux machines that use PowerBroker Open to authenticate users against AD.

I've noticed that for some users it works just fine (authentication and all), but for others it does not (authentication obviously not due to the required membership stated below, but even groups 'username' only shows one group, domain^users - even when the user is in many groups).

I've narrowed it down that auth and group listing works fine for all users who are in the group which was given in the /opt/pbis/bin/config RequireMembershipOf command.

I've further found that doing /opt/pbis/bin/enum-groups --level 1 fixes the problem until next reboot (as opposed to --level 0, the default, level 1 also shows the group memberships).

But it leaves me with a few questions I'm struggling to find an answer for:

  • How can I make this behavior persist without doing regular enum-groups commands?

  • What exactly is going on that makes this fix work, and what exactly did it fix?

This is on RJEL 6.7, pbis-open 8.2.1-2979.

  • the effect of this issue by the way is that whenever i add a new group to requiremembershipof, i have to run the magical --level command. I don't like magic. – Sirex Dec 13 '15 at 20:03

Sirex, If I understand properly, you encountered the same issue as here http://community.spiceworks.com/topic/1307589-pbis-likewise-open-ubuntu-14-04-user-domain-prefix-problem-solved. I.e. - PBIS lost users' groups from time to time, and only black magic [== crontab script] helps us.

Really annoying - so serious bug and no solution for so long time. BTW, support forums link on http://www.powerbrokeropen.org/ doesn't work. I personally will look for other solution.

SY, Vitaly

| | |
  • yup that's the bug i ran into, and i put a bountry on this question. no reply - so i guess noone seems to know exactly how the magic --level 1 works ! – Sirex Jan 21 '16 at 1:12

Not the answer you're looking for? Browse other questions tagged or ask your own question.