Description of problem: Hello Colleagues, We have an issue on Fedora25 regarding to change the following parameter in /etc/nsswitch.conf as following: Before change the passwd and group parts in /etc/nsswitch.conf, if I run the command "getent passwd root", I got the output and the troot user is visible: [root@localhost ~]# getent passwd root root:x:0:0:root:/root:/bin/bash After change the following lines in /etc/nsswitch.conf from files to compat : passwd: compat sss shadow: files sss group: compat sss I got no output of the command and the use is not visible anymore: [root@localhost ~]# getent passwd root -> "" Version-Release number of selected component (if applicable): glibc-2.24-3.fc25.x86_64 How reproducible: always Steps to Reproduce: 1.run the command "getent passwd root" 2.change the passwd: files sss and group: files sss in /etc/nsswitch.conf-> To passwd: compat sss and group compat sss 3.run again the command "getent passwd root" Actual results: After change the parameter in /etc/nsswitch to " passwd compat sss, group compat sss": [root@localhost ~]# getent passwd root -> "" Expected results: The User should be visible [root@localhost ~]# getent passwd root root:x:0:0:root:/root:/bin/bash Additional info: I got no issue according run the same steps on Fedora24. ---------------------------------------------------------------------- It would be great to help, could you please take a look? Thanks and best regards, Mota
(In reply to Mota Kardeh from comment #0) > After change the following lines in /etc/nsswitch.conf from files to compat : > passwd: compat sss > shadow: files sss > group: compat sss Please provide your full /etc/nsswitch.conf. > It would be great to help, could you please take a look? Where did you get the instructions regarding how to change /etc/nsswitch.conf?
Created attachment 1256858 [details] /etc/nsswitch.conf of fedora25
(In reply to Carlos O'Donell from comment #1) > (In reply to Mota Kardeh from comment #0) > > After change the following lines in /etc/nsswitch.conf from files to compat : > > passwd: compat sss > > shadow: files sss > > group: compat sss > > Please provide your full /etc/nsswitch.conf. The only difference in /etc/nsswitch.conf are the lines as I mentioned above: --------------------------------------------- passwd: compat sss shadow: files sss group: compat sss --------------------------------------------- I attached the /etc/nsswitch.conf of fedora25 to the bug. > > > It would be great to help, could you please take a look? > > Where did you get the instructions regarding how to change > /etc/nsswitch.conf? Our SAP colleague has changed the mentioned lines in the /etc/nsswitch.conf for some testing in NIS env. We had a similar issues before, please check the Bug 193226 and Bug 192072. https://bugzilla.redhat.com/show_bug.cgi?id=193226 https://bugzilla.redhat.com/show_bug.cgi?id=192072 Thanks and best regards, Mota
(In reply to Mota Kardeh from comment #3) > (In reply to Carlos O'Donell from comment #1) > > (In reply to Mota Kardeh from comment #0) > > > After change the following lines in /etc/nsswitch.conf from files to compat : > > > passwd: compat sss > > > shadow: files sss > > > group: compat sss > > > > Please provide your full /etc/nsswitch.conf. > > The only difference in /etc/nsswitch.conf are the lines as I mentioned above: > > --------------------------------------------- > passwd: compat sss > shadow: files sss > group: compat sss > --------------------------------------------- > > I attached the /etc/nsswitch.conf of fedora25 to the bug. OK. > Our SAP colleague has changed the mentioned lines in the /etc/nsswitch.conf > for some testing in NIS env. Have you gone through basic validation that the NIS environment works? Is it actually a NIS+ environment? The 'compat' NSS service will fetch data from NIS by default, which is how you have it configured. > We had a similar issues before, please check the Bug 193226 and Bug 192072. > https://bugzilla.redhat.com/show_bug.cgi?id=193226 > https://bugzilla.redhat.com/show_bug.cgi?id=192072 Do you see your problems at boot, before NIS comes up, or after boot also?
(In reply to Carlos O'Donell from comment #4) > (In reply to Mota Kardeh from comment #3) > > (In reply to Carlos O'Donell from comment #1) > > > (In reply to Mota Kardeh from comment #0) > > > > After change the following lines in /etc/nsswitch.conf from files to compat : > > > > passwd: compat sss > > > > shadow: files sss > > > > group: compat sss > > > > > > Please provide your full /etc/nsswitch.conf. > > > > The only difference in /etc/nsswitch.conf are the lines as I mentioned above: > > > > --------------------------------------------- > > passwd: compat sss > > shadow: files sss > > group: compat sss > > --------------------------------------------- > > > > I attached the /etc/nsswitch.conf of fedora25 to the bug. > > OK. > > > Our SAP colleague has changed the mentioned lines in the /etc/nsswitch.conf > > for some testing in NIS env. > > Have you gone through basic validation that the NIS environment works? Is it > actually a NIS+ environment? I see in the '/etc/nsswitch.conf': publickey: nisplus aliases: files nisplus Should I change something in the /etc/nsswitch.conf, if you are in opinion, this is a nisplus environment? > > The 'compat' NSS service will fetch data from NIS by default, which is how > you have it configured. > > > We had a similar issues before, please check the Bug 193226 and Bug 192072. > > https://bugzilla.redhat.com/show_bug.cgi?id=193226 > > https://bugzilla.redhat.com/show_bug.cgi?id=192072 > > Do you see your problems at boot, before NIS comes up, or after boot also? I see the problem immediately after change the mentioned lines, don't need to reboot.
(In reply to Mota Kardeh from comment #5) > > Do you see your problems at boot, before NIS comes up, or after boot also? > > I see the problem immediately after change the mentioned lines, don't need > to reboot. When you change the NSS passwd service database to use `compat` that _immediately_ starts requesting results from NIS. If you don't have a NIS service setup then you will have no users visible. Did you configure NIS on this system?
(In reply to Carlos O'Donell from comment #6) > (In reply to Mota Kardeh from comment #5) > > > Do you see your problems at boot, before NIS comes up, or after boot also? > > > > I see the problem immediately after change the mentioned lines, don't need > > to reboot. > > When you change the NSS passwd service database to use `compat` that > _immediately_ starts requesting results from NIS. If you don't have a NIS > service setup then you will have no users visible. > > Did you configure NIS on this system? Yes, we have implemented a shell script and during run the script on the system, NIS is configured. But I mean changing the lines passwd and group from to "compat" should be nevertheless take care, that the users to be found in the system. Again, I run the same steps on Fedora24, and didn't get any issue there. Thanks and best regards, Mota
(In reply to Mota Kardeh from comment #7) > > Did you configure NIS on this system? > > Yes, we have implemented a shell script and during run the script on the > system, NIS is configured. > > But I mean changing the lines passwd and group from to "compat" should be > nevertheless take care, that the users to be found in the system. That depends to some degree on the kind of data supplied by the NIS user. Could you capture NIS packets in some way (perhaps using “strace -s 8000” or “tcpdump -s 0”) when running “getent passwd root”? This data can contain confidential information, so feel free to send it directly to me by email.
(In reply to Florian Weimer from comment #9) > (In reply to Mota Kardeh from comment #7) > > > Did you configure NIS on this system? > > > > Yes, we have implemented a shell script and during run the script on the > > system, NIS is configured. > > > > But I mean changing the lines passwd and group from to "compat" should be > > nevertheless take care, that the users to be found in the system. > > That depends to some degree on the kind of data supplied by the NIS user. > > Could you capture NIS packets in some way (perhaps using “strace -s 8000” or > “tcpdump -s 0”) when running “getent passwd root”? This data can contain > confidential information, so feel free to send it directly to me by email. Florian, thanks for that. I sent you a couple of minutes ago "strace" output by mail. "tcpdump -s 0", is doesn't work, when I change the mentioned lines in /etc/nsswitch.conf to compat sss, and I get the following output: [root@localhost ~]# tcpdump -s 0 -x >/home/mota/tcpdump.txt tcpdump: Couldn't find user 'tcpdump' Thanks and best regards, Mota
Hi Florian, good news and very interesting result: I installed nss_nis package on the Fedora25 system: [root@localhost etc]# rpm -qa | grep nss_nis nss_nis-2.24-4.fc25.x86_64 and then afterwards I changed the mentioned lines under /etc/nsswitch from 'files' to 'compat' and run the "getent passwd root": [root@localhost etc]# getent passwd root root:x:0:0:root:/root:/bin/bash It works !:-)
*** This bug has been marked as a duplicate of bug 1400538 ***