Bug 835612 - Using 'initgroups:' in /etc/nsswitch.conf is completely broken
Using 'initgroups:' in /etc/nsswitch.conf is completely broken
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2012-06-26 11:20 EDT by Stephen Gallagher
Modified: 2012-09-25 16:11 EDT (History)
8 users (show)

See Also:
Fixed In Version: authconfig-6.2.1-1.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-09-25 16:11:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2012-06-26 11:20:18 EDT
Description of problem:
By default, recent versions of glibc add a new line to /etc/nsswitch.conf for specifying search order for initgroups requests. This is a complete semantic break from existing systems (and the new semantics make it impossible to configure a system for useres to have both central and local group assignments).

This needs to be reverted immediately.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Configure a system to get its users and group information from SSSD (or nss_ldap, or nss_nis, etc.)
2. Add the following line to /etc/nsswitch.conf:
initgroups: files sss
3. Run the command 'id -G <user_in_sssd>'
Actual results:
If the group is a member of any local groups, only those will be returned. If not, their groups served by SSSD are returned.

Expected results:
All the groups that the user belongs to, both local and remote, must be returned.

Additional info:
With debug logs enabled, I can confirm that glibc never tries to ask SSSD to respond with its groups if some have been found in 'files'. Reversing the order in the initgroups: line means that I see only network groups and zero local groups.

The previous behavior of libc was to search every database listed in the groups: line for groups that this user belonged to and return them. This behavior is still available if the initgroups: line is deleted or commented out from nsswitch.conf, but it is present by default, which is unacceptable.

I propose the following options:
1) Drop this initgroups: line entirely and revert to the older (and well-understood) behavior.
2) Retain the initgroups: line but ensure that ALL entries specified in it are searched (in order). The search should not stop at the first match.
Comment 1 Jeff Law 2012-06-28 23:33:37 EDT
I believe glibc is behaving per its specifications with regard to the behaviour when the requested entry is found.  ie, when the requested entry is found, the default behaviour is to stop searching.

I believe the behaviour you want is achieved by this configuration:

initgroups: files [SUCCESS=continue] sss
Comment 2 Stephen Gallagher 2012-06-29 10:56:22 EDT
Reopening and reassigning to authconfig. The default behavior of the initgroups: line is unusable for any deployment relying on central users as I explained above. We need to ensure that when configuring SSSD (and LDAP, and NIS...) that we add [SUCCESS=continue] to unbreak support for using both local and remote groups with remote users.
Comment 3 Tomas Mraz 2012-06-29 15:34:37 EDT
So glibc started to put the 'initgroups: files' line into the /etc/nsswitch.conf without any heads up in Fedora 17? Nice change. :(
Comment 4 Simo Sorce 2012-06-29 16:12:43 EDT
Welcome to the past, this is just https://bugzilla.redhat.com/show_bug.cgi?id=751450 all over ...
Comment 5 Tomas Mraz 2012-06-29 16:21:22 EDT
Yes, I know, I'd just expect some heads up before that entry was readded back.
Comment 6 James Cape 2012-06-29 22:21:22 EDT
Me personally, I'd expect an entry that's used to set a user's grouplist to show up in the manpage.

Silly, I know...
Comment 7 Tomas Mraz 2012-07-09 04:26:24 EDT
James, please open another bug report for this request against the man-pages package.
Comment 8 Tomas Mraz 2012-07-19 16:41:54 EDT
Authconfig currently just comments the initgroups: line out when it is updating nsswitch.conf. Is that a problem? Or glibc now requires the line and the initgroups behavior is broken without it?
Comment 9 Tomas Mraz 2012-09-25 15:06:49 EDT
Jeff, please answer my question above. Is the behaviour of glibc the same as in old releases if I just comment out the initgroups line in nsswitch.conf? As that is what authconfig does currently. Or do I have to explicitly configure the initgroups line for the initgroups() call to work fine with both local and remote groups.
Comment 10 Jeff Law 2012-09-25 15:35:05 EDT
Sorry, I must have missed the BZ notification for c#8.

As far as I know, commenting out the initgroups line should safe and should cause glibc to fall back to its prior behaviour.

However, this is a part of glibc I know very very little about; so it'd be best if you could verify you're getting the behaviour you want when you eliminate that line rather than blindly assuming my reading of the code is correct.

Note You need to log in before you can comment on or make changes to this bug.