Bug 835612

Summary:	Using 'initgroups:' in /etc/nsswitch.conf is completely broken
Product:	[Fedora] Fedora	Reporter:	Stephen Gallagher <sgallagh>
Component:	authconfig	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	17	CC:	jakub, jamescape777, law, nalin, pfrankli, schwab, ssorce, tmraz
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	authconfig-6.2.1-1.fc17	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-09-25 20:11:19 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2012-06-26 15:20:18 UTC

Description of problem:
By default, recent versions of glibc add a new line to /etc/nsswitch.conf for specifying search order for initgroups requests. This is a complete semantic break from existing systems (and the new semantics make it impossible to configure a system for useres to have both central and local group assignments).

This needs to be reverted immediately.

Version-Release number of selected component (if applicable):
glibc-2.15-37.fc17.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Configure a system to get its users and group information from SSSD (or nss_ldap, or nss_nis, etc.)
2. Add the following line to /etc/nsswitch.conf:
initgroups: files sss
3. Run the command 'id -G <user_in_sssd>'

Actual results:
If the group is a member of any local groups, only those will be returned. If not, their groups served by SSSD are returned.

Expected results:
All the groups that the user belongs to, both local and remote, must be returned.

Additional info:
With debug logs enabled, I can confirm that glibc never tries to ask SSSD to respond with its groups if some have been found in 'files'. Reversing the order in the initgroups: line means that I see only network groups and zero local groups.

The previous behavior of libc was to search every database listed in the groups: line for groups that this user belonged to and return them. This behavior is still available if the initgroups: line is deleted or commented out from nsswitch.conf, but it is present by default, which is unacceptable.

I propose the following options:
1) Drop this initgroups: line entirely and revert to the older (and well-understood) behavior.
2) Retain the initgroups: line but ensure that ALL entries specified in it are searched (in order). The search should not stop at the first match.

Comment 1 Jeff Law 2012-06-29 03:33:37 UTC

I believe glibc is behaving per its specifications with regard to the behaviour when the requested entry is found.  ie, when the requested entry is found, the default behaviour is to stop searching.

I believe the behaviour you want is achieved by this configuration:

initgroups: files [SUCCESS=continue] sss

Comment 2 Stephen Gallagher 2012-06-29 14:56:22 UTC

Reopening and reassigning to authconfig. The default behavior of the initgroups: line is unusable for any deployment relying on central users as I explained above. We need to ensure that when configuring SSSD (and LDAP, and NIS...) that we add [SUCCESS=continue] to unbreak support for using both local and remote groups with remote users.

Comment 3 Tomas Mraz 2012-06-29 19:34:37 UTC

So glibc started to put the 'initgroups: files' line into the /etc/nsswitch.conf without any heads up in Fedora 17? Nice change. :(

Comment 4 Simo Sorce 2012-06-29 20:12:43 UTC

Welcome to the past, this is just https://bugzilla.redhat.com/show_bug.cgi?id=751450 all over ...

Comment 5 Tomas Mraz 2012-06-29 20:21:22 UTC

Yes, I know, I'd just expect some heads up before that entry was readded back.

Comment 6 James Cape 2012-06-30 02:21:22 UTC

Me personally, I'd expect an entry that's used to set a user's grouplist to show up in the manpage.

Silly, I know...

Comment 7 Tomas Mraz 2012-07-09 08:26:24 UTC

James, please open another bug report for this request against the man-pages package.

Comment 8 Tomas Mraz 2012-07-19 20:41:54 UTC

Authconfig currently just comments the initgroups: line out when it is updating nsswitch.conf. Is that a problem? Or glibc now requires the line and the initgroups behavior is broken without it?

Comment 9 Tomas Mraz 2012-09-25 19:06:49 UTC

Jeff, please answer my question above. Is the behaviour of glibc the same as in old releases if I just comment out the initgroups line in nsswitch.conf? As that is what authconfig does currently. Or do I have to explicitly configure the initgroups line for the initgroups() call to work fine with both local and remote groups.

Comment 10 Jeff Law 2012-09-25 19:35:05 UTC

Sorry, I must have missed the BZ notification for c#8.

As far as I know, commenting out the initgroups line should safe and should cause glibc to fall back to its prior behaviour.

However, this is a part of glibc I know very very little about; so it'd be best if you could verify you're getting the behaviour you want when you eliminate that line rather than blindly assuming my reading of the code is correct.