Bug 835612 - Using 'initgroups:' in /etc/nsswitch.conf is completely broken
Summary: Using 'initgroups:' in /etc/nsswitch.conf is completely broken
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: 17
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-26 15:20 UTC by Stephen Gallagher
Modified: 2012-09-25 20:11 UTC (History)
8 users (show)

Fixed In Version: authconfig-6.2.1-1.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-25 20:11:19 UTC
Type: Bug


Attachments (Terms of Use)

Description Stephen Gallagher 2012-06-26 15:20:18 UTC
Description of problem:
By default, recent versions of glibc add a new line to /etc/nsswitch.conf for specifying search order for initgroups requests. This is a complete semantic break from existing systems (and the new semantics make it impossible to configure a system for useres to have both central and local group assignments).

This needs to be reverted immediately.

Version-Release number of selected component (if applicable):
glibc-2.15-37.fc17.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Configure a system to get its users and group information from SSSD (or nss_ldap, or nss_nis, etc.)
2. Add the following line to /etc/nsswitch.conf:
initgroups: files sss
3. Run the command 'id -G <user_in_sssd>'
  
Actual results:
If the group is a member of any local groups, only those will be returned. If not, their groups served by SSSD are returned.

Expected results:
All the groups that the user belongs to, both local and remote, must be returned.

Additional info:
With debug logs enabled, I can confirm that glibc never tries to ask SSSD to respond with its groups if some have been found in 'files'. Reversing the order in the initgroups: line means that I see only network groups and zero local groups.

The previous behavior of libc was to search every database listed in the groups: line for groups that this user belonged to and return them. This behavior is still available if the initgroups: line is deleted or commented out from nsswitch.conf, but it is present by default, which is unacceptable.

I propose the following options:
1) Drop this initgroups: line entirely and revert to the older (and well-understood) behavior.
2) Retain the initgroups: line but ensure that ALL entries specified in it are searched (in order). The search should not stop at the first match.

Comment 1 Jeff Law 2012-06-29 03:33:37 UTC
I believe glibc is behaving per its specifications with regard to the behaviour when the requested entry is found.  ie, when the requested entry is found, the default behaviour is to stop searching.

I believe the behaviour you want is achieved by this configuration:

initgroups: files [SUCCESS=continue] sss

Comment 2 Stephen Gallagher 2012-06-29 14:56:22 UTC
Reopening and reassigning to authconfig. The default behavior of the initgroups: line is unusable for any deployment relying on central users as I explained above. We need to ensure that when configuring SSSD (and LDAP, and NIS...) that we add [SUCCESS=continue] to unbreak support for using both local and remote groups with remote users.

Comment 3 Tomas Mraz 2012-06-29 19:34:37 UTC
So glibc started to put the 'initgroups: files' line into the /etc/nsswitch.conf without any heads up in Fedora 17? Nice change. :(

Comment 4 Simo Sorce 2012-06-29 20:12:43 UTC
Welcome to the past, this is just https://bugzilla.redhat.com/show_bug.cgi?id=751450 all over ...

Comment 5 Tomas Mraz 2012-06-29 20:21:22 UTC
Yes, I know, I'd just expect some heads up before that entry was readded back.

Comment 6 James Cape 2012-06-30 02:21:22 UTC
Me personally, I'd expect an entry that's used to set a user's grouplist to show up in the manpage.

Silly, I know...

Comment 7 Tomas Mraz 2012-07-09 08:26:24 UTC
James, please open another bug report for this request against the man-pages package.

Comment 8 Tomas Mraz 2012-07-19 20:41:54 UTC
Authconfig currently just comments the initgroups: line out when it is updating nsswitch.conf. Is that a problem? Or glibc now requires the line and the initgroups behavior is broken without it?

Comment 9 Tomas Mraz 2012-09-25 19:06:49 UTC
Jeff, please answer my question above. Is the behaviour of glibc the same as in old releases if I just comment out the initgroups line in nsswitch.conf? As that is what authconfig does currently. Or do I have to explicitly configure the initgroups line for the initgroups() call to work fine with both local and remote groups.

Comment 10 Jeff Law 2012-09-25 19:35:05 UTC
Sorry, I must have missed the BZ notification for c#8.

As far as I know, commenting out the initgroups line should safe and should cause glibc to fall back to its prior behaviour.

However, this is a part of glibc I know very very little about; so it'd be best if you could verify you're getting the behaviour you want when you eliminate that line rather than blindly assuming my reading of the code is correct.


Note You need to log in before you can comment on or make changes to this bug.