Red Hat Bugzilla – Bug 473073
Host name resolution fails if NIS is configured for user authentication
Last modified: 2008-12-15 05:30:44 EST
Description of problem:
Installed both i386 and x86_64 HVM virtual machines and all was working well
till I enabled NIS authentication for users. At that point, ntpdate, wget,
curl, and a host of other tools started complaining they could not lookup
hostnames. Edited /etc/nsswitch.conf, removed "nis" from the list of things
that "hosts" use, and everything started working again.
Version-Release number of selected component (if applicable):
Most tools that lookup hosts always fail with nis left in nsswitch, for
some reason "ping" works OK.
Steps to Reproduce:
1. run system-config-authentication
2. activate NIS, configure domain and server
3. host name lookups stop working in most tools
host lookup failure
host lookup works :-).
is the fedora-list message where I first thought the problem was just
*** Bug 473240 has been marked as a duplicate of this bug. ***
*** Bug 473081 has been marked as a duplicate of this bug. ***
Tom, do your test cases trigger segmentation faults ? I'm not 100% sure this is the same beast as 473081...
I haven't seen any segfaults, the programs just all report they couldn't
lookup the name.
Created attachment 324891 [details]
suggested patch -- fixes 473081
this fixes the following:
- the struct parser_data in gethostbyname4 was putting stuff on the stack
- an off-by-one in the late memcpy
- as an extra safety net, allow for NIS entries with *many* aliases. I've got one out there with more than 128, which overflows parse_list.
It's very unclear, in fact, that your bug is this exactly.
Created attachment 324897 [details]
nis shared lib with fix (x86_64)
Tom, this is a binary for you to check. Do:
mv /lib64/libnss_nis-2.9.so /tmp/libnss_nis-2.9.so.orig
mv libnss_nis-2.9.so /lib64/libnss_nis-2.9.so
(no ldconfig necessary).
Somewhat mixed results: I put back the "nis" entry in nsswitch.conf and
swapped in the new library, and wget worked fine. No more lookup
Unfortunately, I then moved back the original library, and lookups
apparently continued to work fine, but I finally tried one wget and
it aborted on me (so now I've seen a segfault as well).
I then swapped back in the new library again and the same wget
that segfaulted worked correctly. I tried it 3 or 4 more times
and it worked every time, so maybe the new lib really does fix
Just for good measure, I put back the original library again, and
wget started segfaulting again. So it seems URL specific, but with
this one example URL the new library does indeed seem to reliably
(In reply to comment #7)
> Unfortunately, I then moved back the original library, and lookups
> apparently continued to work fine, but I finally tried one wget and
> it aborted on me (so now I've seen a segfault as well).
And if you try with something more vanilla, like the testcase in bug 473081, or the extended version that comes in the next attachment ? Could you also post the entry in hosts.byname which matches the request ?
Created attachment 324909 [details]
Oh wait a minute -- I got confused by your description of things. You're saying
that you haven't witnessed any failure with my patched .so, right ? Sounds pretty good then.
*** Bug 473279 has been marked as a duplicate of this bug. ***
Yea, I was confused myself at first and just sort of dumped the confusing
stream of events into the comment :-).
I have definitely not seen a failure with the new library (I was merely
confused by sometimes not seeing failures with the old library).
We experienced segmentation faults with ssh. Only 33 hosts in NIS hosts map. Modifying the nsswitch.conf file to look for DNS before NIS works around the issue.
Similar problem for me: after upgrading from fedora 9 to fedora 10 I
have a segfault in getaddrinfo when resolving host names via NIS
*** Bug 472121 has been marked as a duplicate of this bug. ***
Binary patch libnss_nis-2.9.so fixes the NIS name resolution bug for me.
Binary patch libnss_nis-2.9.so works for me also.
NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
It works for the little test program (lookup in hosts nis table), but
breaks autofs (it needs to look up auto.* tables via NIS).
(In reply to comment #18)
> NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
> It works for the little test program (lookup in hosts nis table), but
> breaks autofs (it needs to look up auto.* tables via NIS).
Likely to be something else then. What symptoms do you see ? I'm using autofs myself, and no problem occurred so far.
The .so I provided was a quick hack ; a complete glibc package rebuild (in case it changes anything) can be obtained from http://www.loria.fr/~thome/vrac/glibc-2.9-2.0001.x86_64.rpm ; note that this is a home-brew rpm, by no means official, etc etc.
I added the patch from comment #5 and built glibc-2.9-2.1 rpms for i386 and i686.
Seems to be working just fine so far. Thanks Emmanuel!
Let's hope we'll get an approval of the patch from Jakub, and see a package entering QA soon...
(In reply to comment #19)
> (In reply to comment #18)
> > NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
> > It works for the little test program (lookup in hosts nis table), but
> > breaks autofs (it needs to look up auto.* tables via NIS).
This particular case is likely related to using x86_64 binaries on an x86_32 box (commenter info in PM).
Sorry... somehow I missed the note about architecture in the attachment
name (linbss_nis*). I actually tried it on an x86_32. I am now rebuilding
from the .src.rpm but it is taking a ...long... time.
Anyway please disregard comment #18 above!
OK for me. I rebuilt from src.rpm... didn't have the nerve to install the
whole glibc and instead substituted the /lib/libnss_nis.so-2.9.so.
It seems to work just fine! Thank you Emmanuel!
A patch I checked into the glibc upstream cvs should fix the problem.
*** Bug 474943 has been marked as a duplicate of this bug. ***
Please try http://kojipkgs.fedoraproject.org/packages/glibc/2.9/3/
glibc-2.9-3 has been submitted as an update for Fedora 10.
The glibc-2.9-3 packages solved my sshd segfault problem, thanks.
*** Bug 475379 has been marked as a duplicate of this bug. ***
glibc-2.9-3 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This push to stable doesn't seem to have succeeded.
segv problem is solved.
The problem of hosts with many aliases remains, though. See bug 476505.