Description of problem: - nscd does not cache sudo rules - disabling nscd alleviates the problem, but causes excessive load on LDAP servers Version-Release number of selected component (if applicable): - glibc-2.17-196.el7_4.2.x86_64 How reproducible: - attempt to use sudo as LDAP user with appropriate rights Steps to Reproduce: 1. 2. 3. Actual results: - sudo fails for LDAP users Expected results: - sudo works for LDAP users with appropriate rights Additional info: see attached debug logs. This was originally fixed with ERRATA RHSA-2015-0327 and seems to be broken again. Moving to sssd is not an option for this use case
Has the nscd netgroup caching issue been reproduced outside the sudo context? Perhaps using “netgroup getent”?
The Platform Tools glibc team has reviewed this bug, and we've decided that we're moving this to Red Hat Enterprise Linux 8 for review. We are not going to fix this issue in RHEL 7 given the current life-cycle of the product.
We are currently reviewing this bug and trying to complete a root cause analysis to determine the exact cause of the sudo failures (if we can reproduce them). Thank you for your patience.
The Platform Tools glibc team has reviewed this issue in detail, including going through all of the nscd log files again. We don't see anything wrong with the log files, and they clearly indicate that nscd has loaded the value (after cache eviction), and so sudo should have the values to use. We are closing this bug as CLOSED/INSUFFICIENT_DATA. Please continue to work with Red Hat support to identify the exact steps required to reproduce this issue in a test environment at Red Hat. When we have a reliable reproducer we can review the results.