Bug 953545

Summary:	nscd change group lookup results
Product:	Red Hat Enterprise Linux 6	Reporter:	TCottier <thomas.cottier>
Component:	glibc	Assignee:	glibc team <glibc-bugzilla>
Status:	CLOSED WONTFIX	QA Contact:	qe-baseos-tools-bugs
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.4	CC:	codonell, fincht, frank.enderle, fweimer, igeorgex, jarrod.makin, mhamant, mnewsome, pfrankli, thomas.cottier
Target Milestone:	rc
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-11-08 09:39:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description TCottier 2013-04-18 12:26:02 UTC

Description of problem:
I configured libnss-mysql to manage my users and it's working well. But as soon as I start nscd, the results change.

Version-Release number of selected component (if applicable):
NSCD 2.12

How reproducible:
Configure authentication with libnss-mysql, create a user with his group, create a secondary group, add user into group, then test with nscd started and stopped

Actual results:
$> getent group gpig
gpig:x:1101:john
$> id -Gn john
john gpig
$> service nscd start
$> id -Gn john
john
$> getent group gpig
gpig:x:1101:john


Expected results:
With nscd started, we should see john in his own group and in gpig group.

Additional info:
/etc/nscd.conf is the default installed file.

Comment 4 Siddhesh Poyarekar 2013-08-12 06:30:07 UTC

It's probably an unnecessary question, but I'm going to ask it anyway.  Did you invalidate the nscd cache when you checked?  You can do that by issuing the `nscd -i group` command.

Comment 5 TCottier 2013-08-12 08:33:37 UTC

Hi and thanks for watching that problem.

I just retried to be sure, and I can confirm that even after the cache has been invalidated the problem persists.

Raw paste:

# service nscd status
nscd (pid 2054) is running...

# getent group gpig
gpig:x:1101:admin,john

# id -Gn john
john

# nscd -i group
# nscd -i passwd
# id -Gn john
john

# service nscd stop
Stopping nscd:                                             [  OK  ]
# id -Gn john
john gpig

Comment 7 TCottier 2013-10-31 08:49:09 UTC

Hi, do you need any other informations about this problem? Can I help you in anything to determine what's wrong?

Thomas.

Comment 8 Carlos O'Donell 2013-11-02 02:45:46 UTC

(In reply to TCottier from comment #7)
> Hi, do you need any other informations about this problem? Can I help you in
> anything to determine what's wrong?

At present we don't need any more information. We aren't presently working on this issue, but I've scheduled it for review as part of our development process.

All I can say is that nscd should not be dropping any groups. You may wish to start nscd with debug-level set to 7 in /etd/nscd.conf and look at the transactions in detail to see what the server is doing and if anything sticks out as wrong.

Comment 9 Martin Hamant 2013-12-23 08:29:55 UTC

Hi,

I can confirm this bug on my CentOS 6.5.
I want to add that getent returns expected results about group membership. The problem occurs with 'id' command, which don't return all the group that belongs to the user.

This issue seems really linked to https://bugzilla.redhat.com/show_bug.cgi?id=706571

Comment 11 Frank Enderle 2014-06-03 14:55:03 UTC

I confirm this bug for CentOS 6.5.

Package: nscd.x86_64 0:2.12-1.132.el6_5.2

id only shows groups for local defined /etc/groups settings, neglecting libnss-mysql grouplist entries when nscd is running. disabling the group cache in nscd solves the problem.

Comment 14 Travis Finch 2015-03-13 23:04:42 UTC

Seeing this issue on RHEL 6.6. Have the following version of nscd installed:

nscd-2.12-1.149.el6_6.5.x86_64

I am also using libnss-mysql. When I enable nscd and run:

groups <user>

to check, only the default group is displayed.

When I disable nscd and re-run the command, it shows all of the groups the user belongs to.

Comment 15 Frank Enderle 2015-04-13 19:34:42 UTC

(In reply to Siddhesh Poyarekar from comment #4)
> It's probably an unnecessary question, but I'm going to ask it anyway.  Did
> you invalidate the nscd cache when you checked?  You can do that by issuing
> the `nscd -i group` command.
Yes I did.

Comment 17 Florian Weimer 2016-02-04 12:57:21 UTC

Can you reproduce this issue with another NSS service module besides libnss-mysql?

If you are using the version in Fedora, it's no longer maintained upstream.

Comment 18 TCottier 2016-02-22 13:02:22 UTC

I did not tried with another nss services.

Comment 19 Jarrod Makin 2016-03-04 18:07:58 UTC

I witnessed something similar to this today
Can you show us the output of:
ls -l /etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg

If the files aren't readable by the nscd user, you may get unintended consequences

Comment 20 TCottier 2016-03-07 09:27:36 UTC

I've just tested with chown nscd.nscd /etc/libnss-mysql* and the results are the same.

I guess the problem is more on the nscd side as libnss-mysql works fine when we stop the cache service.

Comment 21 Jarrod Makin 2016-03-07 09:29:28 UTC

Have you tried running nscd --invalidate=passwd and nscd --invalidate=group after this?

Comment 22 TCottier 2016-03-07 09:31:01 UTC

Of course :)

Comment 24 Florian Weimer 2017-11-08 09:39:31 UTC

Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

This issue does not qualify, and there is insufficient information in this report to identify the root cause of this issue.

Comment 25 Red Hat Bugzilla Rules Engine 2017-11-08 09:39:38 UTC

Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.