Hide Forgot
Description of problem: On Fedora 23, on a system with nis (ypbind) running, users have only there primary group if nscd is running. If nscd is stopped resp. not running, then users have all there groups assigned. This problem occurs first on Fedora 23. On Fedora 22 and earlier initgroups was successful with and without nscd running. Version-Release number of selected component (if applicable): nscd-2.22-6.fc23.x86_64 glibc-2.22-6.fc23.x86_64 How reproducible: Always Steps to Reproduce: 1. Create a nis server with users and groups where uid >= 1000 and gid >= 1000, and at least one user which is member in more than one group. For example: passwd: anton:passwordhash:1234:5678:Anton aus Tirol:/home/anton:/bin/bash group: anton:5678:anton tirol:4441:anton singer:4442:anton 2. Create a nis client of the nis server of step 1, and bind ypbind to it. 3. Run the following commands: systemctl stop nscd id anton getent initgroups anton 4. Run the following commands: systemctl start nscd nscd -i passwd nscd -i group id anton getent initgroups anton Actual results: Step 3 (last two commands): uid=1234(anton) gid=5678(anton) groups=5678(anton) anton Step 4 (last two commands): uid=1234(anton) gid=5678(anton) groups=5678(anton),4441(tirol),4442(singer) anton 5678 4441 4442 Expected results: Result of step 3 should be the same as result of step 4.
+1 to the bug. # systemctl stop nscd.service # groups strizhov strizhov : grad dbsec sna # systemctl start nscd.service # groups strizhov strizhov : grad
(In reply to Edgar Hoch from comment #0) > Description of problem: > On Fedora 23, on a system with nis (ypbind) running, > users have only there primary group if nscd is running. > > If nscd is stopped resp. not running, then users have all there groups > assigned. > > This problem occurs first on Fedora 23. On Fedora 22 and earlier initgroups > was successful with and without nscd running. Could you please attach /etc/nsswitch.conf and your nis configuration information?
Created attachment 1113701 [details] /etc/nsswitch.conf
Created attachment 1113702 [details] /etc/ypserv.conf from nis server (ip address replaced by test-net-3 subnet)
Created attachment 1113703 [details] /var/yp/Makefile from nis server (nis domain changed for privacy)
All our nis source files are in /etc/nis-mynisdomain/ : -r--r--r--. 1 root root 188065 11. Jan 18:38 aliases -r--r--r--. 1 root root 5274 25. Sep 18:58 auto.home -r--r--r--. 1 root root 1566 4. Sep 2013 auto.master -r--r--r--. 1 root root 14662 1. Jan 12:42 auto.mount -r--r--r--. 1 root root 36080 11. Jan 14:13 ethers -r--r--r--. 1 root root 11156 4. Jan 03:17 group -r--r--r--. 1 root root 77932 11. Jan 14:13 hosts -r--r--r--. 1 root root 6384 11. Jan 14:13 netgroup -r--r--r--. 1 root root 1483 30. Nov 1999 netmasks -r--r--r--. 1 root root 2358 14. Okt 2013 networks -r--------. 1 root root 81329 7. Jan 14:49 passwd We have no separate shadow file, the passwd file contains the password hash. These are the files in /var/yp/mynisdomain/ : -rw-------. 1 root root 136448 31. Dez 05:58 auto.home -rw-------. 1 root root 135680 31. Dez 05:58 auto.master -rw-------. 1 root root 140288 1. Jan 12:42 auto.mount -rw-------. 1 root root 159232 11. Jan 14:13 ethers.byaddr -rw-------. 1 root root 157184 11. Jan 14:13 ethers.byname -rw-------. 1 root root 148224 4. Jan 03:17 group.bygid -rw-------. 1 root root 148480 4. Jan 03:17 group.byname -rw-------. 1 root root 155136 11. Jan 14:13 hosts.byaddr -rw-------. 1 root root 155136 11. Jan 14:13 hosts.byname -rw-------. 1 root root 189952 11. Jan 18:38 mail.aliases -rw-------. 1 root root 141824 11. Jan 14:13 netgroup -rw-------. 1 root root 156416 11. Jan 14:13 netgroup.byhost -rw-------. 1 root root 136192 11. Jan 14:13 netgroup.byuser -rw-------. 1 root root 174848 11. Jan 18:38 netid.byname -rw-------. 1 root root 135680 31. Dez 05:58 netmasks.byaddr -rw-------. 1 root root 136192 31. Dez 05:58 networks.byaddr -rw-------. 1 root root 136704 31. Dez 05:58 networks.byname -rw-------. 1 root root 224512 7. Jan 14:49 passwd.byname -rw-------. 1 root root 222464 7. Jan 14:49 passwd.byuid -rw-------. 1 root root 136192 31. Dez 05:58 ypservers You find some configuration files in the attachments.
Created attachment 1113717 [details] /etc/default/nss I haven't changed this file in previous Fedora releases. Now in Fedora 23 I have tried changing #NETID_AUTHORITATIVE=TRUE to NETID_AUTHORITATIVE=TRUE Then it seems that nscd is using the netid.byname, and all groups are assigned to the user process. But without this change it seems that the nscd code has a bug in collecting the other groups of the user. I'm not sure if setting NETID_AUTHORITATIVE=TRUE is a good idea, because this change wasn't neccessary until and including Fedora 22, and if a user is member of a group in nis and a group in files (/etc/group), then the group in files may (will?) be ignored.
Same problem here. Looks like nscd is broken for groups.
Is there any other workaround apart from stopping nscd?
Further info, I noticed that if I'm listed in /etc/group, then the /etc/groups and NIS origin groups are included in my group list, but if I'm not, no NIS groups are included. It doesn't matter what group I add myself to in /etc/group... just my user being there *anywhere* changes the entire behavior!
BTW my nsswitch.conf only has these 'group' related lines in it: group: files nis netgroup: files nis
(In reply to Ian Donaldson from comment #11) > BTW my nsswitch.conf only has these 'group' related lines in it: > > group: files nis > netgroup: files nis Does this mean you do not have an initgroups setting?
(In reply to Florian Weimer from comment #12) > Does this mean you do not have an initgroups setting? initgroups was intentionally removed from nsswitch.conf - see bug 751450.
no initgroups setting, and adding one didn't seem to help any (tried a few combos) This behavior is truly bizarre.
So far the only way to get the groups back is to disable nscd completely or to disable the caching of the groups in /etc/nscd.conf. In version nscd-2.22-17.fc23.x86_64 glibc-2.22-17.fc23.x86_64 the cache for the groups is still broken. Is there a chance that this bug gets fixed in Fedora 23?
Hmm... maybe this bug is related to #1277672 ?
glibc-2.23.1-10.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d
glibc-2.22-18.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8
glibc-2.22-18.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d
glibc-2.22-18.fc23.x86_64 and nscd-2.22-18.fc23.x86_64 fixed the problem for me.
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
glibc-2.22-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.