953545 – nscd change group lookup results

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 953545 - nscd change group lookup results

Summary: nscd change group lookup results

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	glibc team
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-18 12:26 UTC by TCottier
Modified:	2017-11-08 09:39 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-08 09:39:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description TCottier 2013-04-18 12:26:02 UTC

Description of problem:
I configured libnss-mysql to manage my users and it's working well. But as soon as I start nscd, the results change.

Version-Release number of selected component (if applicable):
NSCD 2.12

How reproducible:
Configure authentication with libnss-mysql, create a user with his group, create a secondary group, add user into group, then test with nscd started and stopped

Actual results:
$> getent group gpig
gpig:x:1101:john
$> id -Gn john
john gpig
$> service nscd start
$> id -Gn john
john
$> getent group gpig
gpig:x:1101:john


Expected results:
With nscd started, we should see john in his own group and in gpig group.

Additional info:
/etc/nscd.conf is the default installed file.

Comment 4 Siddhesh Poyarekar 2013-08-12 06:30:07 UTC

It's probably an unnecessary question, but I'm going to ask it anyway.  Did you invalidate the nscd cache when you checked?  You can do that by issuing the `nscd -i group` command.

Comment 5 TCottier 2013-08-12 08:33:37 UTC

Hi and thanks for watching that problem.

I just retried to be sure, and I can confirm that even after the cache has been invalidated the problem persists.

Raw paste:

# service nscd status
nscd (pid 2054) is running...

# getent group gpig
gpig:x:1101:admin,john

# id -Gn john
john

# nscd -i group
# nscd -i passwd
# id -Gn john
john

# service nscd stop
Stopping nscd:                                             [  OK  ]
# id -Gn john
john gpig

Comment 7 TCottier 2013-10-31 08:49:09 UTC

Hi, do you need any other informations about this problem? Can I help you in anything to determine what's wrong?

Thomas.

Comment 8 Carlos O'Donell 2013-11-02 02:45:46 UTC

(In reply to TCottier from comment #7)
> Hi, do you need any other informations about this problem? Can I help you in
> anything to determine what's wrong?

At present we don't need any more information. We aren't presently working on this issue, but I've scheduled it for review as part of our development process.

All I can say is that nscd should not be dropping any groups. You may wish to start nscd with debug-level set to 7 in /etd/nscd.conf and look at the transactions in detail to see what the server is doing and if anything sticks out as wrong.

Comment 9 Martin Hamant 2013-12-23 08:29:55 UTC

Hi,

I can confirm this bug on my CentOS 6.5.
I want to add that getent returns expected results about group membership. The problem occurs with 'id' command, which don't return all the group that belongs to the user.

This issue seems really linked to https://bugzilla.redhat.com/show_bug.cgi?id=706571

Comment 11 Frank Enderle 2014-06-03 14:55:03 UTC

I confirm this bug for CentOS 6.5.

Package: nscd.x86_64 0:2.12-1.132.el6_5.2

id only shows groups for local defined /etc/groups settings, neglecting libnss-mysql grouplist entries when nscd is running. disabling the group cache in nscd solves the problem.

Comment 14 Travis Finch 2015-03-13 23:04:42 UTC

Seeing this issue on RHEL 6.6. Have the following version of nscd installed:

nscd-2.12-1.149.el6_6.5.x86_64

I am also using libnss-mysql. When I enable nscd and run:

groups <user>

to check, only the default group is displayed.

When I disable nscd and re-run the command, it shows all of the groups the user belongs to.

Comment 15 Frank Enderle 2015-04-13 19:34:42 UTC

(In reply to Siddhesh Poyarekar from comment #4)
> It's probably an unnecessary question, but I'm going to ask it anyway.  Did
> you invalidate the nscd cache when you checked?  You can do that by issuing
> the `nscd -i group` command.
Yes I did.

Comment 17 Florian Weimer 2016-02-04 12:57:21 UTC

Can you reproduce this issue with another NSS service module besides libnss-mysql?

If you are using the version in Fedora, it's no longer maintained upstream.

Comment 18 TCottier 2016-02-22 13:02:22 UTC

I did not tried with another nss services.

Comment 19 Jarrod Makin 2016-03-04 18:07:58 UTC

I witnessed something similar to this today
Can you show us the output of:
ls -l /etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg

If the files aren't readable by the nscd user, you may get unintended consequences

Comment 20 TCottier 2016-03-07 09:27:36 UTC

I've just tested with chown nscd.nscd /etc/libnss-mysql* and the results are the same.

I guess the problem is more on the nscd side as libnss-mysql works fine when we stop the cache service.

Comment 21 Jarrod Makin 2016-03-07 09:29:28 UTC

Have you tried running nscd --invalidate=passwd and nscd --invalidate=group after this?

Comment 22 TCottier 2016-03-07 09:31:01 UTC

Of course :)

Comment 24 Florian Weimer 2017-11-08 09:39:31 UTC

Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

This issue does not qualify, and there is insufficient information in this report to identify the root cause of this issue.

Comment 25 Red Hat Bugzilla Rules Engine 2017-11-08 09:39:38 UTC

Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.