This is part 4 of an 8 part post covering the process used to trace down and correct a problem with semanage login record group matching. If you have not already read the previous parts, you may want to start at the beginning

Narrowing the scope

Armed with a test user experiencing the problem, I started trying to identify why this one group was not working.

At this point I should mention, the real group at $WORK (the one this post is aliasing as 'ft-financial-accounting') was the first group used for mapping to have a name longer than 10 characters or contain multiple hyphens.

So, I started looking at the differences in group name length and characters, thinking there may be a parsing error somewhere in the stack. In my first attempt at isolating this as the issue, I created 'fin' (without dashes) and just put my test user in that. Since that worked, I then tried 'ftfinancialaccounting' (which worked) and 'ft-financial-accounting-0' (which also worked). This effectively eliminated a group name parsing issue. The only appreciable difference remaining was something based on the uids or number of uids inside the ft-financial-accounting group.

Since all of the uids were standard $WORK accounts already seemingly functioning everywhere, the number of uids inside a group seemed a more likely culprit. I stripped 'ft-financial-accounting' down to just my test user and everything worked. Adding all of the members back in returned it to broken, but when I cut the number of uids in half, and it returned to working.

Still, either it was an issue with the number of uids, or I happened to get lucky and remove the half of the uids which contained a problem entry. A quick swap of the active half user set quickly indicated it was a size issue and not just a bad uid. There still could have been a uid interaction problem with some uid from the first set and some from the second set, but that seemed far less likely.

I began a quick binary search trying to isolate the hypothesized breaking point for the number of members. Upon finding out that when 'ft-financial-accounting' had 67 members it worked, and when it had 68 members the mapping failed, I confirmed it was not a uid conflict issue by exchanging some "working" and "broken" uids. The source of the problem had been successfully narrowed to the number of members in the group.

Next up, part 5: Isolating the cause.