Bug 1294574 - nscd breaks initgroups with nis (initgroups are empty)
Summary: nscd breaks initgroups with nis (initgroups are empty)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 23
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Florian Weimer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-29 03:42 UTC by Edgar Hoch
Modified: 2016-09-05 08:43 UTC (History)
13 users (show)

Fixed In Version: glibc-2.22-18.fc23, glibc-2.23.1-10.fc24, glibc-2.23.90-26.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-05 08:43:31 UTC


Attachments (Terms of Use)
/etc/nsswitch.conf (1.69 KB, text/plain)
2016-01-11 22:17 UTC, Edgar Hoch
no flags Details
/etc/ypserv.conf from nis server (ip address replaced by test-net-3 subnet) (2.27 KB, text/plain)
2016-01-11 22:21 UTC, Edgar Hoch
no flags Details
/var/yp/Makefile from nis server (nis domain changed for privacy) (17.90 KB, text/plain)
2016-01-11 22:24 UTC, Edgar Hoch
no flags Details
/etc/default/nss (1.71 KB, text/plain)
2016-01-11 22:43 UTC, Edgar Hoch
no flags Details


Links
System ID Priority Status Summary Last Updated
Sourceware 20262 None None None 2016-06-30 11:52:07 UTC
Red Hat Bugzilla 1363924 None None None Never

Internal Links: 1363924

Description Edgar Hoch 2015-12-29 03:42:52 UTC
Description of problem:
On Fedora 23, on a system with nis (ypbind) running,
users have only there primary group if nscd is running.

If nscd is stopped resp. not running, then users have all there groups assigned.

This problem occurs first on Fedora 23. On Fedora 22 and earlier initgroups was successful with and without nscd running.


Version-Release number of selected component (if applicable):
nscd-2.22-6.fc23.x86_64
glibc-2.22-6.fc23.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Create a nis server with users and groups where uid >= 1000 and gid >= 1000, and at least one user which is member in more than one group.
For example:
passwd:
anton:passwordhash:1234:5678:Anton aus Tirol:/home/anton:/bin/bash

group:
anton:5678:anton
tirol:4441:anton
singer:4442:anton

2. Create a nis client of the nis server of step 1, and bind ypbind to it.

3. Run the following commands:
systemctl stop nscd
id anton
getent initgroups anton

4. Run the following commands:
systemctl start nscd
nscd -i passwd
nscd -i group
id anton
getent initgroups anton


Actual results:
Step 3 (last two commands):
uid=1234(anton) gid=5678(anton) groups=5678(anton)
anton

Step 4 (last two commands):
uid=1234(anton) gid=5678(anton) groups=5678(anton),4441(tirol),4442(singer)
anton                 5678 4441 4442

Expected results:
Result of step 3 should be the same as result of step 4.

Comment 1 Mikhail Strizhov 2016-01-11 17:36:31 UTC
+1 to the bug.

# systemctl  stop nscd.service
# groups strizhov
strizhov : grad dbsec sna

# systemctl  start nscd.service
# groups strizhov
strizhov : grad

Comment 2 Carlos O'Donell 2016-01-11 21:13:48 UTC
(In reply to Edgar Hoch from comment #0)
> Description of problem:
> On Fedora 23, on a system with nis (ypbind) running,
> users have only there primary group if nscd is running.
> 
> If nscd is stopped resp. not running, then users have all there groups
> assigned.
> 
> This problem occurs first on Fedora 23. On Fedora 22 and earlier initgroups
> was successful with and without nscd running.

Could you please attach /etc/nsswitch.conf and your nis configuration information?

Comment 3 Edgar Hoch 2016-01-11 22:17:18 UTC
Created attachment 1113701 [details]
/etc/nsswitch.conf

Comment 4 Edgar Hoch 2016-01-11 22:21:38 UTC
Created attachment 1113702 [details]
/etc/ypserv.conf from nis server (ip address replaced by test-net-3 subnet)

Comment 5 Edgar Hoch 2016-01-11 22:24:40 UTC
Created attachment 1113703 [details]
/var/yp/Makefile from nis server (nis domain changed for privacy)

Comment 6 Edgar Hoch 2016-01-11 22:32:35 UTC
All our nis source files are in /etc/nis-mynisdomain/ :

-r--r--r--. 1 root     root    188065 11. Jan 18:38 aliases
-r--r--r--. 1 root     root      5274 25. Sep 18:58 auto.home
-r--r--r--. 1 root     root      1566  4. Sep 2013  auto.master
-r--r--r--. 1 root     root     14662  1. Jan 12:42 auto.mount
-r--r--r--. 1 root     root     36080 11. Jan 14:13 ethers
-r--r--r--. 1 root     root     11156  4. Jan 03:17 group
-r--r--r--. 1 root     root     77932 11. Jan 14:13 hosts
-r--r--r--. 1 root     root      6384 11. Jan 14:13 netgroup
-r--r--r--. 1 root     root      1483 30. Nov 1999  netmasks
-r--r--r--. 1 root     root      2358 14. Okt 2013  networks
-r--------. 1 root     root     81329  7. Jan 14:49 passwd


We have no separate shadow file, the passwd file contains the password hash.

These are the files in /var/yp/mynisdomain/ :

-rw-------. 1 root root 136448 31. Dez 05:58 auto.home
-rw-------. 1 root root 135680 31. Dez 05:58 auto.master
-rw-------. 1 root root 140288  1. Jan 12:42 auto.mount
-rw-------. 1 root root 159232 11. Jan 14:13 ethers.byaddr
-rw-------. 1 root root 157184 11. Jan 14:13 ethers.byname
-rw-------. 1 root root 148224  4. Jan 03:17 group.bygid
-rw-------. 1 root root 148480  4. Jan 03:17 group.byname
-rw-------. 1 root root 155136 11. Jan 14:13 hosts.byaddr
-rw-------. 1 root root 155136 11. Jan 14:13 hosts.byname
-rw-------. 1 root root 189952 11. Jan 18:38 mail.aliases
-rw-------. 1 root root 141824 11. Jan 14:13 netgroup
-rw-------. 1 root root 156416 11. Jan 14:13 netgroup.byhost
-rw-------. 1 root root 136192 11. Jan 14:13 netgroup.byuser
-rw-------. 1 root root 174848 11. Jan 18:38 netid.byname
-rw-------. 1 root root 135680 31. Dez 05:58 netmasks.byaddr
-rw-------. 1 root root 136192 31. Dez 05:58 networks.byaddr
-rw-------. 1 root root 136704 31. Dez 05:58 networks.byname
-rw-------. 1 root root 224512  7. Jan 14:49 passwd.byname
-rw-------. 1 root root 222464  7. Jan 14:49 passwd.byuid
-rw-------. 1 root root 136192 31. Dez 05:58 ypservers


You find some configuration files in the attachments.

Comment 7 Edgar Hoch 2016-01-11 22:43:22 UTC
Created attachment 1113717 [details]
/etc/default/nss

I haven't changed this file in previous Fedora releases.

Now in Fedora 23 I have tried changing
#NETID_AUTHORITATIVE=TRUE
to
NETID_AUTHORITATIVE=TRUE

Then it seems that nscd is using the netid.byname, and all groups are assigned to the user process. But without this change it seems that the nscd code has a bug in collecting the other groups of the user.

I'm not sure if setting NETID_AUTHORITATIVE=TRUE is a good idea, because this change wasn't neccessary until and including Fedora 22, and if a user is member of a group in nis and a group in files (/etc/group), then the group in files may (will?) be ignored.

Comment 8 JM 2016-05-02 22:40:10 UTC
Same problem here. Looks like nscd is broken for groups.

Comment 9 Ian Donaldson 2016-05-30 00:30:05 UTC
Is there any other workaround apart from stopping nscd?

Comment 10 Ian Donaldson 2016-05-30 09:50:40 UTC
Further info, I noticed that if I'm listed in /etc/group,
then the /etc/groups and NIS origin groups are included in my group list, but if
I'm not, no NIS groups are included.

It doesn't matter what group I add myself to in /etc/group... just
my user being there *anywhere* changes the entire behavior!

Comment 11 Ian Donaldson 2016-05-30 09:51:37 UTC
BTW my nsswitch.conf only has these 'group' related lines in it:

group:      files nis
netgroup:   files nis

Comment 12 Florian Weimer 2016-05-30 09:58:10 UTC
(In reply to Ian Donaldson from comment #11)
> BTW my nsswitch.conf only has these 'group' related lines in it:
> 
> group:      files nis
> netgroup:   files nis

Does this mean you do not have an initgroups setting?

Comment 13 Edgar Hoch 2016-05-30 10:11:48 UTC
(In reply to Florian Weimer from comment #12)
> Does this mean you do not have an initgroups setting?

initgroups was intentionally removed from nsswitch.conf - see bug 751450.

Comment 14 Ian Donaldson 2016-05-30 11:08:36 UTC
no initgroups setting, and adding one didn't seem to help any
(tried a few combos)

This behavior is truly bizarre.

Comment 15 JM 2016-06-07 11:42:22 UTC
So far the only way to get the groups back is to disable nscd completely or to disable the caching of the groups in /etc/nscd.conf. In version

nscd-2.22-17.fc23.x86_64
glibc-2.22-17.fc23.x86_64

the cache for the groups is still broken. Is there a chance that this bug gets fixed in Fedora 23?

Comment 16 JM 2016-06-07 11:50:10 UTC
Hmm... maybe this bug is related to #1277672 ?

Comment 17 Fedora Update System 2016-08-18 15:16:57 UTC
glibc-2.23.1-10.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d

Comment 18 Fedora Update System 2016-08-18 17:32:51 UTC
glibc-2.22-18.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8

Comment 19 Fedora Update System 2016-08-19 00:21:53 UTC
glibc-2.22-18.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8

Comment 20 Fedora Update System 2016-08-19 00:58:32 UTC
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d

Comment 21 JM 2016-08-19 14:13:01 UTC
glibc-2.22-18.fc23.x86_64 and nscd-2.22-18.fc23.x86_64 fixed the problem for me.

Comment 22 Fedora Update System 2016-08-19 19:52:32 UTC
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2016-09-02 23:20:46 UTC
glibc-2.22-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.