Bug 473073 - Host name resolution fails if NIS is configured for user authentication
Host name resolution fails if NIS is configured for user authentication
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
10
All Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Fedora Extras Quality Assurance
:
: 472121 473081 473240 473279 474943 475379 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-26 09:05 EST by Tom Horsley
Modified: 2008-12-15 05:30 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-09 23:37:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
suggested patch -- fixes 473081 (3.81 KB, patch)
2008-11-27 10:26 EST, Emmanuel Thomé
no flags Details | Diff
nis shared lib with fix (x86_64) (204.36 KB, application/octet-stream)
2008-11-27 11:07 EST, Emmanuel Thomé
no flags Details
test case (2.35 KB, text/x-csrc)
2008-11-27 13:39 EST, Emmanuel Thomé
no flags Details

  None (edit)
Description Tom Horsley 2008-11-26 09:05:16 EST
Description of problem:

Installed both i386 and x86_64 HVM virtual machines and all was working well
till I enabled NIS authentication for users. At that point, ntpdate, wget,
curl, and a host of other tools started complaining they could not lookup
hostnames. Edited /etc/nsswitch.conf, removed "nis" from the list of things
that "hosts" use, and everything started working again.


Version-Release number of selected component (if applicable):
glibc-2.9-2.i686

How reproducible:
Most tools that lookup hosts always fail with nis left in nsswitch, for
some reason "ping" works OK.

Steps to Reproduce:
1. run system-config-authentication
2. activate NIS, configure domain and server
3. host name lookups stop working in most tools
  
Actual results:
host lookup failure

Expected results:
host lookup works :-).

Additional info:

https://www.redhat.com/archives/fedora-list/2008-November/msg02154.html
is the fedora-list message where I first thought the problem was just
with ntpdate.
Comment 1 Jakub Jelinek 2008-11-27 08:00:28 EST
*** Bug 473240 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2008-11-27 08:00:41 EST
*** Bug 473081 has been marked as a duplicate of this bug. ***
Comment 3 Emmanuel Thomé 2008-11-27 08:20:43 EST
Tom, do your test cases trigger segmentation faults ? I'm not 100% sure this is the same beast as 473081...

E.
Comment 4 Tom Horsley 2008-11-27 09:00:05 EST
I haven't seen any segfaults, the programs just all report they couldn't
lookup the name.
Comment 5 Emmanuel Thomé 2008-11-27 10:26:19 EST
Created attachment 324891 [details]
suggested patch -- fixes 473081

this fixes the following:

- the struct parser_data in gethostbyname4 was putting stuff on the stack
- an off-by-one in the late memcpy
- as an extra safety net, allow for NIS entries with *many* aliases. I've got one out there with more than 128, which overflows parse_list.

It's very unclear, in fact, that your bug is this exactly.

E.
Comment 6 Emmanuel Thomé 2008-11-27 11:07:18 EST
Created attachment 324897 [details]
nis shared lib with fix (x86_64)

Tom, this is a binary for you to check. Do:

mv /lib64/libnss_nis-2.9.so /tmp/libnss_nis-2.9.so.orig
mv libnss_nis-2.9.so /lib64/libnss_nis-2.9.so

(no ldconfig necessary).
Comment 7 Tom Horsley 2008-11-27 13:02:55 EST
Somewhat mixed results: I put back the "nis" entry in nsswitch.conf and
swapped in the new library, and wget worked fine. No more lookup
failures.

Unfortunately, I then moved back the original library, and lookups
apparently continued to work fine, but I finally tried one wget and
it aborted on me (so now I've seen a segfault as well).

I then swapped back in the new library again and the same wget
that segfaulted worked correctly. I tried it 3 or 4 more times
and it worked every time, so maybe the new lib really does fix
the problem.

Just for good measure, I put back the original library again, and
wget started segfaulting again. So it seems URL specific, but with
this one example URL the new library does indeed seem to reliably
fix things.
Comment 8 Emmanuel Thomé 2008-11-27 13:38:05 EST
(In reply to comment #7)
> Unfortunately, I then moved back the original library, and lookups
> apparently continued to work fine, but I finally tried one wget and
> it aborted on me (so now I've seen a segfault as well).

And if you try with something more vanilla, like the testcase in bug 473081, or the extended version that comes in the next attachment ? Could you also post the entry in hosts.byname which matches the request ?

E.
Comment 9 Emmanuel Thomé 2008-11-27 13:39:13 EST
Created attachment 324909 [details]
test case
Comment 10 Emmanuel Thomé 2008-11-27 14:49:29 EST
Oh wait a minute -- I got confused by your description of things. You're saying 
that you haven't witnessed any failure with my patched .so, right ? Sounds pretty good then.

E.
Comment 11 Tomas Mraz 2008-11-27 16:47:55 EST
*** Bug 473279 has been marked as a duplicate of this bug. ***
Comment 12 Tom Horsley 2008-11-27 16:58:49 EST
Yea, I was confused myself at first and just sort of dumped the confusing
stream of events into the comment :-).

I have definitely not seen a failure with the new library (I was merely
confused by sometimes not seeing failures with the old library).
Comment 13 David Highley 2008-11-29 23:20:37 EST
We experienced segmentation faults with ssh. Only 33 hosts in NIS hosts map. Modifying the nsswitch.conf file to look for DNS before NIS works around the issue.
Comment 14 Maurizio Paolini 2008-11-30 06:39:53 EST
Similar problem for me: after upgrading from fedora 9 to fedora 10 I
have a segfault in getaddrinfo when resolving host names via NIS
Comment 15 Jimmy Dorff 2008-12-01 11:08:59 EST
*** Bug 472121 has been marked as a duplicate of this bug. ***
Comment 16 Jimmy Dorff 2008-12-01 11:21:26 EST
Binary patch libnss_nis-2.9.so fixes the NIS name resolution bug for me.
Comment 17 Maurizio Paolini 2008-12-02 05:49:38 EST
Binary patch libnss_nis-2.9.so works for me also.
Comment 18 Maurizio Paolini 2008-12-02 07:46:36 EST
NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
It works for the little test program (lookup in hosts nis table), but
breaks autofs (it needs to look up auto.* tables via NIS).
Comment 19 Emmanuel Thomé 2008-12-02 08:02:34 EST
(In reply to comment #18)
> NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
> It works for the little test program (lookup in hosts nis table), but
> breaks autofs (it needs to look up auto.* tables via NIS).

Likely to be something else then. What symptoms do you see ? I'm using autofs myself, and no problem occurred so far.

The .so I provided was a quick hack ; a complete glibc package rebuild (in case it changes anything) can be obtained from http://www.loria.fr/~thome/vrac/glibc-2.9-2.0001.x86_64.rpm ; note that this is a home-brew rpm, by no means official, etc etc.

E.
Comment 20 Terje Rosten 2008-12-02 10:03:15 EST
I added the patch from comment #5 and built glibc-2.9-2.1 rpms for i386 and i686.

Seems to be working just fine so far. Thanks Emmanuel!
Comment 21 Emmanuel Thomé 2008-12-04 16:51:22 EST
Let's hope we'll get an approval of the patch from Jakub, and see a package entering QA soon...

E.
Comment 22 Emmanuel Thomé 2008-12-04 16:53:11 EST
(In reply to comment #19)
> (In reply to comment #18)
> > NOPE, binary patch provided by Emmanuel Thomé DOES NOT work!
> > It works for the little test program (lookup in hosts nis table), but
> > breaks autofs (it needs to look up auto.* tables via NIS).

This particular case is likely related to using x86_64 binaries on an x86_32 box (commenter info in PM).

E.
Comment 23 Maurizio Paolini 2008-12-05 09:58:53 EST
Sorry... somehow I missed the note about architecture in the attachment
name (linbss_nis*).  I actually tried it on an x86_32.  I am now rebuilding
from the .src.rpm but it is taking a ...long... time.
Anyway please disregard comment #18 above!
Comment 24 Maurizio Paolini 2008-12-05 15:52:04 EST
OK for me.  I rebuilt from src.rpm... didn't have the nerve to install the
whole glibc and instead substituted the /lib/libnss_nis.so-2.9.so.
It seems to work just fine!  Thank you Emmanuel!
Comment 25 Ulrich Drepper 2008-12-07 05:01:14 EST
A patch I checked into the glibc upstream cvs should fix the problem.
Comment 26 Tomas Mraz 2008-12-08 03:56:25 EST
*** Bug 474943 has been marked as a duplicate of this bug. ***
Comment 27 Jakub Jelinek 2008-12-08 09:52:31 EST
Please try http://kojipkgs.fedoraproject.org/packages/glibc/2.9/3/
Comment 28 Fedora Update System 2008-12-08 15:35:03 EST
glibc-2.9-3 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/glibc-2.9-3
Comment 29 Jack Deslippe 2008-12-08 17:20:20 EST
The glibc-2.9-3 packages solved my sshd segfault problem, thanks.
Comment 30 Tomas Mraz 2008-12-09 03:20:59 EST
*** Bug 475379 has been marked as a duplicate of this bug. ***
Comment 31 Fedora Update System 2008-12-09 23:37:05 EST
glibc-2.9-3 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Paul Black 2008-12-13 08:42:22 EST
This push to stable doesn't seem to have succeeded.
Comment 33 Emmanuel Thomé 2008-12-15 05:30:44 EST
segv problem is solved.

The problem of hosts with many aliases remains, though. See bug 476505.

Note You need to log in before you can comment on or make changes to this bug.