Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 751450
Summary: | Initgroups entry in nsswitch.conf should be commented out in the default config | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andrew McNabb <amcnabb> |
Component: | glibc | Assignee: | Siddhesh Poyarekar <spoyarek> |
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 23 | CC: | awilliam, fweimer, jakub, jhrozek, k.georgiou, mads, metanoite, mnewsome, rdieter, sbose, sgallagh, spoyarek, ssorce, tmraz |
Target Milestone: | --- | Keywords: | Reopened, Triaged |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.22-2.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 750388 | Environment: | |
Last Closed: | 2015-08-26 04:33:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1366569 |
Description
Andrew McNabb
2011-11-04 18:54:00 UTC
1. The addition of initgroups entry into nsswitch.conf should have been properly announced. 2. For backwards compatibility it should be commented out in the default nsswitch.conf Andreas can you please explain what this initgroups is ? Also can we please prepare an update to push right after GA to back this change out ? *IF* there is a good reason to have an option like this it must: A) be discussed widly with stakeholders (at least the main nss_* modules maintainers) B) Be backwards compabible *BY DEFAULT* I am too angry to better articulate any request, but a prompt discussion about this *feature* is highly desirable. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers glibc-2.14.90-15.1 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/glibc-2.14.90-15.1 Package glibc-2.14.90-15.1: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-15.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). Package glibc-2.14.90-15.2: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-15.2' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Package glibc-2.14.90-16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.14.90-16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15723 then log in and leave karma (feedback). glibc-2.14.90-18 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/glibc-2.14.90-18 I still have a problem with secondary LDAP and local groups. I am now a member of my LDAP groups after updating to authconfig-6.1.16-2.fc16 and running "authconfig -updateall". However, if I add myself to any group in /etc/group, the result is that I am now only a member of the local groups and not any of the LDAP groups. /etc/nsswitch.conf (after applying authconfig-6.1.16-2.fc16 [bug 750388]): initgroups: files sss without "me" being a member of any group in /etc/group: $ groups me software security staff ftpadmin sysadmin adding me to a group in /etc/group apache:x:48:me $ groups me apache Removing the initgroups line from /etc/nsswitch.conf exhibits expected behavior, as reported above: $ groups me apache software security staff ftpadmin sysadmin Robert, the correct configuration is to comment out initgroups entirely. Authconfig tries it's best to respect what the admin may have set, unfortunately the initgroups is simply terminally stupid and completely breaks any existing configfuration no matter what as it completely changes the semantics of the initgroups call. The glibc maintainer messed up badly and initgroups is enabled by default in F16 GA, so you may have to manually remove it. If you remove the entry, authconfig will not readd it. Unfortunately the semantics of the initgroups is different from the other entries and authconfig will have to be changed to respect it. I really wonder whether it wouldn't be the best idea to always just remove the entry by authconfig. Tomas, what about adding a authconfig option like --preserve-initgroups and otherwise always remove it ? In almost all cases you would never want to use initgroups as defined in glibc as it makes little to no sense. I'm not sure if that would really make sense to have this option - basically if you want to modify the pam and nsswitch.conf files manually, you should not use the authconfig at all. So I'll probably remove the entry altogether and unconditionally. Hopefully glibc will keep the old backwards compatible semantics when the entry is not there in future. Works for me. I believe we still need a fix for this in glibc. AIUI the desired fix is for the initgroups line to be dropped entirely from the default /etc/nsswitch.conf file, right Tomas? -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Yes, or it can be left there commented out with an appropriate comment about the semantic difference between initgroups entry and the other entries. This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. Reopening since this bug still needs triaging and answering. Moving to rawhide to see if we can reproduce. This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19 The SSSD nss plugin already implements initgroups_dyn support, so I assume what initgroups is for is already known. It looks like the patch to remove the initgroups line from the default nsswitch.conf was committed to the fedora/master branch in the upstream glibc[1] repository but it was never pulled into Fedora. When we finally discovered the branches and their use (in 2013), I did not notice this until I came across this bug. If the sssd initgroups_dyn callback is an optimal implementation for initgroups (i.e. it is faster than just using groups as fallback), then it might make sense to keep the initgroups line in place like this: initgroups: files [SUCCESS=continue] sss authconfig will then have to support this. The files implementation for initgroups is not really any better than groups AFAIR, so the only other benefits of initgroups are visible when one uses nscd (not default) or uses the nssdb (again, not default). If it doesn't matter, I'll just remove the line from nsswitch. Let me know what is preferable. [1] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=3b819160 This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23 (In reply to Siddhesh Poyarekar from comment #23) > If it doesn't matter, I'll just remove the line from nsswitch. Let me know > what is preferable. Ping? I'd say just remove it. Pushed in rawhide and I've also got an f23 build going. glibc-2.22-2.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/glibc-2.22-2.fc23 Package glibc-2.22-2.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing glibc-2.22-2.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13713/glibc-2.22-2.fc23 then log in and leave karma (feedback). glibc-2.22-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |