Bug 953545 - nscd change group lookup results
Summary: nscd change group lookup results
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.4
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: glibc team
QA Contact: qe-baseos-tools-bugs
Depends On:
TreeView+ depends on / blocked
Reported: 2013-04-18 12:26 UTC by TCottier
Modified: 2017-11-08 09:39 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-11-08 09:39:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description TCottier 2013-04-18 12:26:02 UTC
Description of problem:
I configured libnss-mysql to manage my users and it's working well. But as soon as I start nscd, the results change.

Version-Release number of selected component (if applicable):
NSCD 2.12

How reproducible:
Configure authentication with libnss-mysql, create a user with his group, create a secondary group, add user into group, then test with nscd started and stopped

Actual results:
$> getent group gpig
$> id -Gn john
john gpig
$> service nscd start
$> id -Gn john
$> getent group gpig

Expected results:
With nscd started, we should see john in his own group and in gpig group.

Additional info:
/etc/nscd.conf is the default installed file.

Comment 4 Siddhesh Poyarekar 2013-08-12 06:30:07 UTC
It's probably an unnecessary question, but I'm going to ask it anyway.  Did you invalidate the nscd cache when you checked?  You can do that by issuing the `nscd -i group` command.

Comment 5 TCottier 2013-08-12 08:33:37 UTC
Hi and thanks for watching that problem.

I just retried to be sure, and I can confirm that even after the cache has been invalidated the problem persists.

Raw paste:

# service nscd status
nscd (pid 2054) is running...

# getent group gpig

# id -Gn john

# nscd -i group
# nscd -i passwd
# id -Gn john

# service nscd stop
Stopping nscd:                                             [  OK  ]
# id -Gn john
john gpig

Comment 7 TCottier 2013-10-31 08:49:09 UTC
Hi, do you need any other informations about this problem? Can I help you in anything to determine what's wrong?


Comment 8 Carlos O'Donell 2013-11-02 02:45:46 UTC
(In reply to TCottier from comment #7)
> Hi, do you need any other informations about this problem? Can I help you in
> anything to determine what's wrong?

At present we don't need any more information. We aren't presently working on this issue, but I've scheduled it for review as part of our development process.

All I can say is that nscd should not be dropping any groups. You may wish to start nscd with debug-level set to 7 in /etd/nscd.conf and look at the transactions in detail to see what the server is doing and if anything sticks out as wrong.

Comment 9 Martin Hamant 2013-12-23 08:29:55 UTC

I can confirm this bug on my CentOS 6.5.
I want to add that getent returns expected results about group membership. The problem occurs with 'id' command, which don't return all the group that belongs to the user.

This issue seems really linked to https://bugzilla.redhat.com/show_bug.cgi?id=706571

Comment 11 Frank Enderle 2014-06-03 14:55:03 UTC
I confirm this bug for CentOS 6.5.

Package: nscd.x86_64 0:2.12-1.132.el6_5.2

id only shows groups for local defined /etc/groups settings, neglecting libnss-mysql grouplist entries when nscd is running. disabling the group cache in nscd solves the problem.

Comment 14 Travis Finch 2015-03-13 23:04:42 UTC
Seeing this issue on RHEL 6.6. Have the following version of nscd installed:


I am also using libnss-mysql. When I enable nscd and run:

groups <user>

to check, only the default group is displayed.

When I disable nscd and re-run the command, it shows all of the groups the user belongs to.

Comment 15 Frank Enderle 2015-04-13 19:34:42 UTC
(In reply to Siddhesh Poyarekar from comment #4)
> It's probably an unnecessary question, but I'm going to ask it anyway.  Did
> you invalidate the nscd cache when you checked?  You can do that by issuing
> the `nscd -i group` command.
Yes I did.

Comment 17 Florian Weimer 2016-02-04 12:57:21 UTC
Can you reproduce this issue with another NSS service module besides libnss-mysql?

If you are using the version in Fedora, it's no longer maintained upstream.

Comment 18 TCottier 2016-02-22 13:02:22 UTC
I did not tried with another nss services.

Comment 19 Jarrod Makin 2016-03-04 18:07:58 UTC
I witnessed something similar to this today
Can you show us the output of:
ls -l /etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg

If the files aren't readable by the nscd user, you may get unintended consequences

Comment 20 TCottier 2016-03-07 09:27:36 UTC
I've just tested with chown nscd.nscd /etc/libnss-mysql* and the results are the same.

I guess the problem is more on the nscd side as libnss-mysql works fine when we stop the cache service.

Comment 21 Jarrod Makin 2016-03-07 09:29:28 UTC
Have you tried running nscd --invalidate=passwd and nscd --invalidate=group after this?

Comment 22 TCottier 2016-03-07 09:31:01 UTC
Of course :)

Comment 24 Florian Weimer 2017-11-08 09:39:31 UTC
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

This issue does not qualify, and there is insufficient information in this report to identify the root cause of this issue.

Comment 25 Red Hat Bugzilla Rules Engine 2017-11-08 09:39:38 UTC
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.