| Summary: | Getent ignores netgroups in /etc/passwd with passwd_compat sss | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas N. <fo_ko> |
| Component: | glibc | Assignee: | DJ Delorie <dj> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | qe-baseos-tools-bugs |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | ashankar, codonell, fo_ko, fweimer, grajaiya, jhrozek, jon.lickey, lslebodn, mkosek, mnewsome, mzidek, pbrezina, pfrankli, vmukhame |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | Flags: | dj:
needinfo?
(fo_ko) |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-02 17:27:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Andreas N.
2016-01-25 15:39:37 UTC
I admit I haven't really used the compat mode myself, but: 1) Can you enumerate the users in the netgroup? 2) did you enable enumerate=true in sssd.conf? 3) can you request individual users? (In reply to Jakub Hrozek from comment #2) > I admit I haven't really used the compat mode myself, but: > 1) Can you enumerate the users in the netgroup? > 2) did you enable enumerate=true in sssd.conf? > 3) can you request individual users? Hello Jakub, 1) If I give "getent netgroup [netgroup name]" it works as it should. It lists me the netgroup elements. 2) If you enable the enumerate in sssd.conf then you get a list with all the ldap users. That is why I wanted to do the enumeration with compat and passwd, in order to avoid the listing of all users in the ldap directory and just decide which netgroup users I want to get listed.Before the sssd times it used to be done like this. 3) Individual users can be requested. Like I said, if you write in passwd +username and do a "getent passwd" it works without problem. The problem is only with groups. If the lookups work, then I think it's out of the hands of sssd and into the realm of libc.. On the glibc side, we need more verbose instructions how to configure a system so that it reproduces this issue. Thanks. In my testing, I've found that I can reproduce this problem if I populate the netgroups like this: nisNetgroupTriple: (testuser23000.example.com,,) but if I instead populate the netgroups like this, it works correctly: nisNetgroupTriple: (,testuser23456,) Could you please check your ldap database and see how the nisNetgroupTriples are formatted? We have not received the requested information in comment 7. We are having the same issue, and our netgroup users are setup as suggested. nisNetgroupTriple: (,testuser23456,) What I have discovered is that if we modify the entry in /etc/nsswitch.conf from: passwd: compat passwd_compat: sss to: passwd: files sss all accounts listed setup in ldap show up when running "getent passwd". But I would like to limit this based on netgroups instead, so I put the compat portion back and verified that we do have +@netgroup at the bottom of /etc/passwd. The Platform Tools glibc team is unable to reproduce this issue given the current information. We suggest that you work with Red Hat Support to arrive at a reproducer that the glibc team can use to help resolve the issue or suggest a workaround. |