Bug 1551616

Summary: glibc: Improper nscd netgroup caching leads to sudo failures
Product: Red Hat Enterprise Linux 8 Reporter: Joe Wright <jwright>
Component: glibcAssignee: DJ Delorie <dj>
Status: CLOSED INSUFFICIENT_DATA QA Contact: qe-baseos-tools-bugs
Severity: urgent Docs Contact:
Priority: medium    
Version: 8.0CC: alanm, ashankar, codonell, cww, dbasant, dj, fweimer, horst.thaller, mnewsome, pfrankli, skolosov, vmukhame
Target Milestone: rcKeywords: Bugfix
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-02 18:29:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1594286    

Description Joe Wright 2018-03-05 14:25:26 UTC 
Description of problem:
- nscd does not cache sudo rules
- disabling nscd alleviates the problem, but causes excessive load on LDAP servers

Version-Release number of selected component (if applicable):
- glibc-2.17-196.el7_4.2.x86_64

How reproducible:
- attempt to use sudo as LDAP user with appropriate rights

Steps to Reproduce:
1.
2.
3.

Actual results:
- sudo fails for LDAP users

Expected results:
- sudo works for LDAP users with appropriate rights

Additional info:
see attached debug logs.

This was originally fixed with ERRATA RHSA-2015-0327 and seems to be broken again.

Moving to sssd is not an option for this use case
Comment 8 Florian Weimer 2018-03-05 14:36:24 UTC 
Has the nscd netgroup caching issue been reproduced outside the sudo context?  Perhaps using “netgroup getent”?
Comment 24 Carlos O'Donell 2020-04-28 16:17:04 UTC 
The Platform Tools glibc team has reviewed this bug, and we've decided that we're moving this to Red Hat Enterprise Linux 8 for review.

We are not going to fix this issue in RHEL 7 given the current life-cycle of the product.
Comment 26 Carlos O'Donell 2020-07-31 13:52:51 UTC 
We are currently reviewing this bug and trying to complete a root cause analysis to determine the exact cause of the sudo failures (if we can reproduce them). Thank you for your patience.
Comment 28 Carlos O'Donell 2020-09-02 18:29:20 UTC 
The Platform Tools glibc team has reviewed this issue in detail, including going through all of the nscd log files again.

We don't see anything wrong with the log files, and they clearly indicate that nscd has loaded the value (after cache eviction), and so sudo should have the values to use.

We are closing this bug as CLOSED/INSUFFICIENT_DATA.

Please continue to work with Red Hat support to identify the exact steps required to reproduce this issue in a test environment at Red Hat.

When we have a reliable reproducer we can review the results.