Is there an easy resolution to media group conflict between local and LDAP group

Just setting up TrueNAS for the first time connected to my existing LDAP (FreeIPA). When I was setting up some pools / datasets I noticed the group media showed up twice. One I knew was from my LDAP but the other was a local user / group. After quickly searching in the shell I realized the other was a builtin local user and group. While I though this would be annoying at first trying to figure out which was which from the drop down I though it would be a minor issue since all my LDAP groups were at the bottom of the list.

I soon realized that no matter which media group I chose for the permissions it was always being set to the local GID (8675309). There seems to be no way to change it to the GID from the LDAP execpt to do so by shell. I have no idea how I would actually do it on the NFS share maproot or mapall?

Other than rename my group in LDAP (ie create a new one and re-add all the member / roles) I’m not sure if there is any other solution? After doing some diggin (and seeing others conflicts / issues with this group) I know that removing it will do no good as it’ll just be restored on reboot. Same with changing the text name / group and leaving the UID and GID intact.

Beyond that I’m curious as to why it seems the UI can distinguish the groups but the backend apparently assigns ownership with name and not UID/GID? That seems like an oversight / bug.

Basically you’ve set yourself up for undefined behavior. The NSS subsystem will resolve the GIDs to correct names, but name to gid is first-come first-serve. Since files comes before ldap in the nsswitch.conf, any time the group name is used to look up a gid it will give you the gid for the local group. That’s the way these things have worked on Unix for as long as there has been an nsswitch.conf.

TL;DR, try to give your groups useful and unique names :slight_smile:

1 Like

I used a name that wasn’t default for either BSD or any Linux distros I’ve used.

I guess both I and the person who added it as a default group in TrueNAS are both equaly un-createive. :person_shrugging:

Right. We recently had to course-correct on using the name admin and switched it to truenas_admin because of conflict with the built in IPA account (and probably many other collisions).