Bug 147478

Summary: nscd fails with big group in ldap
Product: Red Hat Enterprise Linux 3 Reporter: Kim Sandberg <ksan>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: drepper.fsp, petr.adamec, pmatilai, roland
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2005-096 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-18 10:00:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Strace output of id command
none
Strace output of nscd -d -d -d none

Description Kim Sandberg 2005-02-08 08:26:26 EST
Description of problem:
When connecting RHEL to a ldap server that has a group with around
7000 members the nscd wont resolv the name of that group:


$ groups
id: cannot find name for group ID 1015
1015 group2 group3 group3 group4

If you turn off nscd everything works but it is slow.

With FC3 this is working without problems.

When running nscd -d -d -d the output is the following:

16273: handle_request: request received (Version = 2) from PID 18322
16273:  GETGRBYGID (1015)
16273: cannot write result: Success



Version-Release number of selected component (if applicable):
nscd-2.3.2-95.30

How reproducible:
Always

Steps to Reproduce:
1. Make a Ldap group with 7000 members.
2. add user to group and with nscd running run: id user
3. then turn off nscd and run: id user 


Additional info:
Comment 1 Jakub Jelinek 2005-02-22 04:48:08 EST
Can you please run both nscd -d -d -d and id under strace and attach that output
here?
Comment 2 Kim Sandberg 2005-02-22 09:38:49 EST
Created attachment 111296 [details]
Strace output of id command
Comment 3 Kim Sandberg 2005-02-22 09:39:51 EST
Created attachment 111297 [details]
Strace output of nscd -d -d -d
Comment 6 Jakub Jelinek 2005-02-22 15:52:50 EST
nscd and nscd client code in libc wasn't expecting partial reads or writes
that can happen with really large requests.
http://sources.redhat.com/ml/libc-hacker/2005-02/msg00060.html
is (so far lightly) tested fix for glibc CVS, will backport that to RHEL4 U1 and
RHEL3 U5 soon.
Comment 7 Jakub Jelinek 2005-02-23 09:59:07 EST
A fixed RHEL3 glibc candidate at ftp://people.redhat.com/jakub/glibc/2.3.2-95.33/
Comment 8 Kim Sandberg 2005-02-28 06:23:23 EST
I tried this version and groups seem to work ok now.
But for some reason I now seem to get problems with uid.

nscd now sometimes (quite often) looses the user information.
I open a new xterm it complains that:
id: cannot find name for user ID xxxx
Running "id" without parameters shows the number but group names are
still resolved.
But running "id username" then it starts working when opening new
xterms also for a while until it then again stops working.
Comment 9 Jakub Jelinek 2005-02-28 13:11:23 EST
Can you please stop nscd, run
strace -o /tmp/nscd.strace /usr/sbin/nscd -d -d -d > /tmp/nscd.log 2>&1 &
/usr/sbin/nscd -i password
/usr/sbin/nscd -i group
and now run the strace -o /tmp/id.log1 /usr/bin/id (or whatever results in the
failure to look up username)
and then strace -o /tmp/id.log2 /usr/bin/id username
?
Thanks.
Comment 10 Kim Sandberg 2005-03-02 02:47:02 EST
Hi.

It appeared to ba a missing index for uidnumber in my ldap server that
caused this behaviour.
It works ok now when I added the index.
Comment 11 Jakub Jelinek 2005-03-02 03:13:00 EST
Thanks.  Assuming all is fixed then.
Comment 12 Petr Adamec 2005-03-20 17:19:07 EST
Hi Jakub,

I have the same problem with Novell LDAP (I have small group) on RHEL4. Do you
want some (or the same) output from strace?

Regards Petr Adamec
Comment 13 Petr Adamec 2005-03-22 11:07:45 EST
(In reply to comment #0)
> Description of problem:
> When connecting RHEL to a ldap server that has a group with around
> 7000 members the nscd wont resolv the name of that group:
> 
> 
> $ groups
> id: cannot find name for group ID 1015
> 1015 group2 group3 group3 group4
> 
> If you turn off nscd everything works but it is slow.
> 
> With FC3 this is working without problems.
> 
> When running nscd -d -d -d the output is the following:
> 
> 16273: handle_request: request received (Version = 2) from PID 18322
> 16273:  GETGRBYGID (1015)
> 16273: cannot write result: Success
> 
> 
> 
> Version-Release number of selected component (if applicable):
> nscd-2.3.2-95.30
> 
> How reproducible:
> Always
> 
> Steps to Reproduce:
> 1. Make a Ldap group with 7000 members.
> 2. add user to group and with nscd running run: id user
> 3. then turn off nscd and run: id user 
> 
> 
> Additional info:

I have the same problem even with a group of two members... :-(
Comment 14 Tim Powers 2005-05-18 10:00:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-256.html