/usr/bin/id: cannot find name for group ID (4271795)

When logging in a user may have the following error

[root@linux1 etc]# su user2

/usr/bin/id: cannot find name for group ID 307876910

[user2@linux1 etc]$

And ls -l may fail to resolve the users GID when executed against a directory or file owned by the user

[user2@linux1 etc]$ ls -l /home

drwx------.  5 user2        307876910  169 Nov  4 16:29 user2

[user2@linux1 etc]$

The users Primary GID (PGID) is set to their UID and this PGID is a virtual group.

In the SAS Control Center under Preferences > Global Unix Options there is a setting called “Set Primary GID To UID” which when enabled creates a virtual primary group (VPG). This VPG has the same name as the user and the GID is the same as the users UID. Because it is a virtual group and does not exist in Active Directory or in /etc/group it is therefore unresolvable

Virtual Primary Groups may also be enabled by adding the following setting to vas.conf

[nss_vas]

 virtual-primary-groups = true

If vas.conf is configured with

virtual-primary-groups =  true

then every user will be assigned a primary group based on their own name regardless of whether they already have a primary group associated with a real group. This may not be desirable so the following setting can be configured to allow users with real primary groups to keep them.

virtual-primary-groups-set-gid = false.

The commands to run are

# /opt/quest/bin/vastool configure vas nss_vas virtual-primary-groups true

# /opt/quest/bin/vastool configure vas nss_vas virtual-primary-groups-set-gid false

# /opt/quest/bin/vastool flush

To unconfigure these settings run

# /opt/quest/bin/vastool configure vas nss_vas virtual-primary-groups

# /opt/quest/bin/vastool configure vas nss_vas virtual-primary-groups-set-gid

# /opt/quest/bin/vastool flush

Here are man pages extracts for the two settings.

 virtual-primary-groups =

Default value: false

Many Unix administrators are accustomed to deploying users and groups following a "Group of One" model, where every user has a corresponding group with no members that shares the same ID and name. Each user's primary GID is set to its UID, and the primary group has that same value for its GID. This allows a more secure environment for users where no one shares the same primary group. For large scale Active Directory deployments, creating one empty security group for each user can be prohibitive and difficult to manage. QAS provides the ability to create virtual Primary Groups for each user in the domain by using the virtual-primary-groups option. When this option is set to true, the getgr* functions will return groups for every QAS user. Also, each user's primary GID will be set to match their UID. For example, if the jdoe user has a UID of 1300, then a getgrgid() call for 1300 will return back a group named jdoe with a gid of 1300 with an empty membership list.

The following example shows how to turn on Virtual Primary Groups.

[nss_vas]

 virtual-primary-groups = true

virtual-primary-groups-set-gid =

Default value: true

By default, when virtual-primary-groups is enabled, the user's GID is set to their UID. If that is not desired then set this option to false. This could be used when most users need the VPG, but a few require a specific GID. The virtual group is still created. The other users should have their GID set to their UID in AD or through override.

The following example shows how to retain user's original or over written gid.

[nss_vas]

 virtual-primary-groups-set-gid = false