#616171 libc6: Multiple calls to getgrouplist give different answers with/without nscd running

Package:
libc6
Source:
glibc
Description:
GNU C Library: Shared libraries
Submitter:
Harry Edmon
Date:
2011-08-23 10:51:59 UTC
Severity:
important
#616171#5
Date:
2011-03-02 22:09:44 UTC
From:
To:
When running NIS, the following simple code gives different answers with nscd
running versus nscd not running:

#include <grp.h>
#include <stdio.h>
#define NGROUPS 100
main( int argc, char **argv )
{
  int i=NGROUPS;
  gid_t groups[NGROUPS];
  getgrouplist(argv[1], 1062, groups, &i);
  printf ("%d\n", i);
  getgrouplist(argv[1], 1062, groups, &i);
  printf ("%d\n", i);
}


For example with nscd running:

t harry
19
19

Without nscd running:

t harry
19
4

The first call always returns the groups assigned to a user in /etc/groups and
in NIS.   This is alway true of the second call with nscd running.

When nscd is not running, the second call to getgrouplist only returns the
groups assigned to a user in /etc/groups and the gid passed into getgrouplist.

This is caused "samba" to not assign the correct groups to a user when nscd was
not running on the samba server.

The same code works correctly when run in "lenny" whether nscd is running or
not.

#616171#10
Date:
2011-03-15 19:33:44 UTC
From:
To:
In my original report I had the following in nsswitch.conf:

group:    compat

If I change this to:

group:    compat nis

then both calls to getgrouplist in my sample program return the correct
number of groups whether nscd is running or not.   I have also noticed
that with group set just to "compat" with nscd turned on, that sometime
nscd loses the NIS groups and just reports the local groups.   I have to
stop nscd, delete the cache files in /var/cache/nscd, and start nscd
again to fix this.

#616171#15
Date:
2011-03-17 19:48:29 UTC
From:
To:
This bug is related to (if not the same as) #584914.
#616171#20
Date:
2011-07-26 08:21:21 UTC
From:
To:
Hello,
data comes from NIS, `groups user` often shows only the primary group of
the user. Emptying nscd group cache data by running `nscd -i group` solves
that.

Regards
  Christoph

#616171#25
Date:
2011-08-23 10:39:47 UTC
From:
To:
Dear Debian Fellows !

My investigations suggest that those 3 bugs are related: #599399 #584914 #616171.
I have here a Squeeze 64 host that shows the same problem explained by Arto (#599399).
I updated it to the latest updates / proposed updates yesterday (22-08-2011).

Package versions are:
nis 3.17-31
libpam0g 1.1.1-6.1
libpam-modules 1.1.1-6.1
nscd 2.11.2-10
libc6 2.11.2-10

(re-)Description of the problem:

a/ login in with a local account which is declared locally in a NIS group (/etc/group + syntax)

 - with 'group: compat' or 'group: compat nis' in nsswitch.conf,
   this does NOT work, group is absent

 - with 'group: files nis' or 'group: nis files',
   this DOES work, group is present


b/ login in with a NIS account, which belongs to 4 NIS groups and 2 local groups
   and which primary group is a NIS group

 - whatever recipe put in nsswitch.conf, this NIS account belongs to
   its 2 local groups and only its NIS primary group : zero secondary NIS group

I hope this can help track & solve this very serious issue.

Cheers,
Michel


The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.