[slurm-users] Secondary Unix group id of users not being issued in interactive srun command
Loris Bennett
loris.bennett at fu-berlin.de
Tue Sep 21 08:12:49 UTC 2021
Ole Holm Nielsen <Ole.H.Nielsen at fysik.dtu.dk> writes:
> On 9/21/21 9:11 AM, Amjad Syed wrote:
>> We have users who have have defined unix secondary id on our login nodes.
>>
>> vas20xhu at login01 ~]$ groups
>>
>> BIO_pg BIO_AFMAKAY_LAB_USERS
>>
>> But when we run interactive and go to compute node , the user does not have
>> secondary group of BIO_AFMAKAY_LAB_USERS
>>
>> vas20xhu at c0077 ~]$ groups
>>
>> BIO_pg
>
> I believe that Slurm creates users in the database using the primary UNIX group
> name. Slurm would not know about any secondary UNIX groups.
>
> There must be a uniform user and group name space (including UIDs and GIDs)
> across the cluster. It is your own responsibility to configure users and groups
> in the passwd and group databases consistently, see
> https://slurm.schedmd.com/quickstart_admin.html (search for GIDs).
>
> FWIW, I have some information about creation of users and groups in this Wiki
> page:
> https://wiki.fysik.dtu.dk/niflheim/Slurm_accounting#create-accounts-and-users
I would have thought that this maybe does not have anything to do with
Slurm.
Assuming you are using SSSD, it looks to me more like the settings in
sssd.conf on the nodes might be incorrect. In our sssd.conf I found the
following note to myself:
# LB: rfc2307bis should not be used if memberUid is used for group membership
# otherwise secondary groups fail
# ldap_schema = rfc2307bis
What schema you need depends on how your group information is stored.
rfc2307 assumes the groups just have a memberUID, whereas with rfc2307bis
the users also have a memberOf attribute.
I don't understand LDAP well enough to understand why rfc2307bis causes
the secondary group resolution to fail, even though the groups still
have the information via memberUID, but my experience was that it does
indeed fail.
Cheers,
Loris
--
Dr. Loris Bennett (Hr./Mr.)
ZEDAT, Freie Universität Berlin Email loris.bennett at fu-berlin.de
More information about the slurm-users
mailing list