Bug 835612
Summary: | Using 'initgroups:' in /etc/nsswitch.conf is completely broken | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Gallagher <sgallagh> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | jakub, jamescape777, law, nalin, pfrankli, schwab, ssorce, tmraz |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | authconfig-6.2.1-1.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-09-25 20:11:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Gallagher
2012-06-26 15:20:18 UTC
I believe glibc is behaving per its specifications with regard to the behaviour when the requested entry is found. ie, when the requested entry is found, the default behaviour is to stop searching. I believe the behaviour you want is achieved by this configuration: initgroups: files [SUCCESS=continue] sss Reopening and reassigning to authconfig. The default behavior of the initgroups: line is unusable for any deployment relying on central users as I explained above. We need to ensure that when configuring SSSD (and LDAP, and NIS...) that we add [SUCCESS=continue] to unbreak support for using both local and remote groups with remote users. So glibc started to put the 'initgroups: files' line into the /etc/nsswitch.conf without any heads up in Fedora 17? Nice change. :( Welcome to the past, this is just https://bugzilla.redhat.com/show_bug.cgi?id=751450 all over ... Yes, I know, I'd just expect some heads up before that entry was readded back. Me personally, I'd expect an entry that's used to set a user's grouplist to show up in the manpage. Silly, I know... James, please open another bug report for this request against the man-pages package. Authconfig currently just comments the initgroups: line out when it is updating nsswitch.conf. Is that a problem? Or glibc now requires the line and the initgroups behavior is broken without it? Jeff, please answer my question above. Is the behaviour of glibc the same as in old releases if I just comment out the initgroups line in nsswitch.conf? As that is what authconfig does currently. Or do I have to explicitly configure the initgroups line for the initgroups() call to work fine with both local and remote groups. Sorry, I must have missed the BZ notification for c#8. As far as I know, commenting out the initgroups line should safe and should cause glibc to fall back to its prior behaviour. However, this is a part of glibc I know very very little about; so it'd be best if you could verify you're getting the behaviour you want when you eliminate that line rather than blindly assuming my reading of the code is correct. |