Hide Forgot
Description of problem: Upon requesting a non-existing netgroup name, the command #getent netgroup <unknown_group> returns the same name, however the command is expected to return nothing. This happens when sssd is configured as proxy provider. Version-Release number of selected component (if applicable): sssd-1.8.0-11.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Edit /etc/ldap.conf and add the following: uri ldap://<hostname.com>:<port> ssl no base <basedn> 2. Create and edit /etc/pam.d/sssdproxyldap with the following contents: auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so 3. To produce the issue, setup sssd.conf as below: [sssd] reconnection_retries = 3 config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = PROXY debug_level = 9 [nss] filter_groups = root filter_users = root [pam] [domain/PROXY] id_provider = proxy auth_provider = proxy cache_credentials = TRUE proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = TRUE debug_level = 9 ldap_tls_cacertdir = /etc/openldap/cacerts/ 4. After setting the above configurations, start sssd service and run the following step: [root@sssd-client sssd]# getent netgroup some_group Actual results: The cmd #getent returns the non-existing netgroup name as given below: [root@sssd-client sssd]# getent netgroup some_group some_group [root@sssd-client sssd]# getent netgroup some_group some_group Expected results: The cmd #getent should return nothing upon requesting a non-existing netgroup. [root@sssd-client sssd]# getent netgroup some_group [root@sssd-client sssd]# getent netgroup some_group Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/1242
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed
Verified on sssd-1.8.0-22.el6.x86_64. The fix involves modifying "proxy_lib_name = ldap" to "proxy_lib_name = file" (file: /etc/netgroup) due to a bug in nss-pam-ldapd, which outputs an empty netgroup even if it actually does not exist. Jakub has filed https://bugzilla.redhat.com/show_bug.cgi?id=804103 against nss-pam-ldapd. The output for the associated beaker automation script is given below: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Verify BZ release ticket #363 :- getent returns non-existing netgroup name with proxy provider when proxy_lib_name = file :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Once - Verifying valid netgroup: QAeng :: [ PASS ] :: Twice - Verifying valid netgroup: QAeng :: [ PASS ] :: Thrice - Verifying valid netgroup: QAeng :: [ PASS ] :: Once - Verifying unknown netgroup: testsumgroup :: [ PASS ] :: Twice - Verifying unknown netgroup: testsumgroup :: [ PASS ] :: Thrice - Verifying unknown netgroup: testsumgroup :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 9 good, 0 bad :: [ PASS ] :: RESULT: Verify BZ release ticket #363 :- getent returns non-existing netgroup name with proxy provider when proxy_lib_name = file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html