Red Hat Bugzilla – Bug 1301655
Getent ignores netgroups in /etc/passwd with passwd_compat sss
Last modified: 2018-04-03 01:07:20 EDT
Description of problem:
If someone in nsswitch.conf uses the compat mode for passwd with sssd
and in /etc/passwd the netgroup entry (e.g +@netgroup). With "getent passwd" the users in this ldap netgroup don't get listed. "getent passwd [username]" works perfectly fine. Also, if instead of netgroup "group", we write just a netgroup user (e.g. +username) it works as it should. The only problem is with groups.
Steps to Reproduce:
1. Set in nsswitch.conf
2. Set a netgroup group in /etc/passwd
3. Do a "getent passwd"
only the local users of passwd get listed. ldap users in the netgroup don't get enumerated.
ldap users in the netgroup should be listed too.
This seems to be a really old bug. Take a look here https://www.redhat.com/archives/rhelv5-list/2011-September/msg00003.html
I tried to set the NIS domain but for me didn't work.
I admit I haven't really used the compat mode myself, but:
1) Can you enumerate the users in the netgroup?
2) did you enable enumerate=true in sssd.conf?
3) can you request individual users?
(In reply to Jakub Hrozek from comment #2)
> I admit I haven't really used the compat mode myself, but:
> 1) Can you enumerate the users in the netgroup?
> 2) did you enable enumerate=true in sssd.conf?
> 3) can you request individual users?
1) If I give "getent netgroup [netgroup name]" it works as it should. It lists me the netgroup elements.
2) If you enable the enumerate in sssd.conf then you get a list with all the ldap users. That is why I wanted to do the enumeration with compat and passwd, in order to avoid the listing of all users in the ldap directory and just decide which netgroup users I want to get listed.Before the sssd times it used to be done like this.
3) Individual users can be requested. Like I said, if you write in passwd +username and do a "getent passwd" it works without problem. The problem is only with groups.
If the lookups work, then I think it's out of the hands of sssd and into the realm of libc..
On the glibc side, we need more verbose instructions how to configure a system so that it reproduces this issue. Thanks.
In my testing, I've found that I can reproduce this problem if I populate the netgroups like this:
but if I instead populate the netgroups like this, it works correctly:
Could you please check your ldap database and see how the nisNetgroupTriples are formatted?