RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Description of problem:
- nscd does not cache sudo rules
- disabling nscd alleviates the problem, but causes excessive load on LDAP servers

Version-Release number of selected component (if applicable):
- glibc-2.17-196.el7_4.2.x86_64

How reproducible:
- attempt to use sudo as LDAP user with appropriate rights

Steps to Reproduce:
1.
2.
3.

Actual results:
- sudo fails for LDAP users

Expected results:
- sudo works for LDAP users with appropriate rights

Additional info:
see attached debug logs.

This was originally fixed with ERRATA RHSA-2015-0327 and seems to be broken again.

Moving to sssd is not an option for this use case

Has the nscd netgroup caching issue been reproduced outside the sudo context?  Perhaps using “netgroup getent”?

The Platform Tools glibc team has reviewed this bug, and we've decided that we're moving this to Red Hat Enterprise Linux 8 for review.

We are not going to fix this issue in RHEL 7 given the current life-cycle of the product.

We are currently reviewing this bug and trying to complete a root cause analysis to determine the exact cause of the sudo failures (if we can reproduce them). Thank you for your patience.

The Platform Tools glibc team has reviewed this issue in detail, including going through all of the nscd log files again.

We don't see anything wrong with the log files, and they clearly indicate that nscd has loaded the value (after cache eviction), and so sudo should have the values to use.

We are closing this bug as CLOSED/INSUFFICIENT_DATA.

Please continue to work with Red Hat support to identify the exact steps required to reproduce this issue in a test environment at Red Hat.

When we have a reliable reproducer we can review the results.