Bug 146588 - login via ssh fails to set secondary groups
Summary: login via ssh fails to set secondary groups
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc   
(Show other bugs)
Version: 3
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-30 02:02 UTC by Adam
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version: 2.3.4-10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-14 17:46:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:096 normal SHIPPED_LIVE glibc bug fix update 2005-06-09 04:00:00 UTC
Sourceware 741 None None None Never

Description Adam 2005-01-30 02:02:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
When logging into the machine via ssh my secondary groups are not set
as reported by the id command.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Log in via ssh
2. Type 'id'
3. Only primary group is set, none of secondaries

Actual Results:  Only the primary group is set. If I type 'id' then I
see only my primary group. If I type 'id <me>' then I see all the
groups I should be in.

Expected Results:  My 3 secondary groups should also be set

Additional info:

This machine was upgraded to FC3 from FC2 via 'yum upgrade'. I have a
number of other systems where secondary groups are set as expected.
I've  tried different versions of pam, with no effect. I do not have
console access as the machine is in another country, so I can't try
logging in from it to see if it works ok.

Comment 1 Adam 2005-01-30 02:59:39 UTC
This may not be ssh specific, as su also fails to set the secondary

Comment 2 Tomas Mraz 2005-01-31 08:10:03 UTC
I'm sorry but I cannot reproduce this bug. (Neither for ssh nor for
su.) Do you have privilege separation on in the sshd config?
What glibc version do you have?

Comment 3 Adam 2005-02-01 08:01:27 UTC
I think I have now resolved the issue via strace's of the su process.
When nscd is running, only the primary group is assigned, and when I
stop nscd, all works as expected. Next I'll try to figure why nscd is
acting up.
Feel free to either close this bug or reassign it to nscd.

Comment 4 Adam 2005-02-01 10:47:18 UTC
I have narrowed this down. If I disable group caching (enable-cache
no), then secondary groups are not assigned. This is the whole group
section from my nscd.conf file.

        enable-cache            group           no
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes

If I change enable-cache to yes, then secondary groups are assigned

# grep nscd /var/log/rpmpkgs

Comment 7 Tim Powers 2005-06-09 11:14:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.