[Bug nscd/489] New: nscd problem with multiple passwd databases

[Bug nscd/489] New: nscd problem with multiple passwd databases

[mhaverkamp at kcp dot com]

nscd's behavior is inconsistent when there are multiple passwd databases defined
in /etc/nsswitch.conf and the 2 database have different data for the same UID.

Consider the following:
/etc/nsswitch.conf contains:
    passwd:      compat ldap

the compat database (/etc/passwd) contains:
testuser:x:54366:54366:Fred Smith:/home/u54366:/bin/bash

the ldap passwd database contains:
u54366:x:54366:54366:Fred Smith:/home/u54366:/bin/bash


The behavior without nscd (correct):
# getent passwd 54366
testuser:x:54366:54366:Fred Smith:/home/u54366:/bin/bash
# su - u54366
$ exit
logout
# getent passwd 54366
testuser:x:54366:54366:Fred Smith:/home/u54366:/bin/bash

The behavior with nscd running (incorrect):
# getent passwd 54366
testuser:x:54366:54366:Fred Smith:/home/u54366:/bin/bash
# su - u54366
$ exit
logout
# getent passwd 54366
u54366:x:54366:54366:Fred Smith:/home/u54366:/bin/bash


When nscd is running, doing a "su" to a user causes nscd to cache the mapping of
their uid to userid, even though there is a different userid associated with
that uid in /etc/passwd.  Because "compat" is listed first in
/etc/nsswitch.conf, I expect the /etc/passwd entry to take precidence.

-- 
           Summary: nscd problem with multiple passwd databases
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
        AssignedTo: drepper at redhat dot com
        ReportedBy: mhaverkamp at kcp dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686-pc-linux-gnulibc2
  GCC host triplet: i686-pc-linux-gnulibc2
GCC target triplet: i686-pc-linux-gnulibc2


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2004-10-28 18:48 -------
You can expect as much as you want, but it's your setup which is broken.  Don't
add conflicting information and you are fine.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[mhaverkamp at kcp dot com]

------- Additional Comments From mhaverkamp at kcp dot com  2004-10-28 19:30 -------
I expected that the response would be like that.  I understand the principal of
what you are saying and why you are saying it.  I occasionally have a need to
override the data in the shared password database (ldap) locally on 1 or 2
exceptional system with a local entry in /etc/passwd.  This works without
problems without nscd, but nscd occasionally gets its cache mixed up by this.

I argue that this is incorrect behavior because /etc/nsswitch.conf defines an
order in which databases are consulted.  Allowing data from the second listed
database to override data from the first listed database is therefor incorrect.

I leave this bug as "RESOLVED INVALID" because I am sure that it will just be
closed again anyway, but I want to be know that this functionality is both
important and useful to me, and it provides something that I can not achieve any
other way.  I am sure that there are others who have this need also.

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[roland at gnu dot org]

------- Additional Comments From roland at gnu dot org  2004-10-28 19:35 -------
Why does this differ?  The purpose of nscd is to cache what the plain nss
lookups would do.  I see no justification for it returning different
information.  What is the rationale for considering this valid?

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[mhaverkamp at kcp dot com]

------- Additional Comments From mhaverkamp at kcp dot com  2004-10-28 19:50 -------
> The purpose of nscd is to cache what the plain nss lookups would do.

The problem is that it nss lookups can return different information when nscd is
running than they would return if it was not, even if the data in the nss
databases have not changed.  My original comments lay out a scenario in which
this can happen.  My arguement is that nss lookups should behave exactly the
same with nss running as they do without nscd 100% of the time.  The only
allowable exception to this is if the data in the nss database has changed, but
nscd has not updated its cache yet.

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-03-18 14:28 -------
I am also seeing this behavior with the simple case of multiple uid=0 users in
the passwd file. nss calls should behave the same regardless of whether or not
nscd is running. This is not currently the case. 

I believe that the reason for the failure is fairly simple, and would be happy
to write a patch to address it:

nscd is allowing a getpwuid() call to affect the caches for getpwnam() calls,
and vice versa. Split that apart, and the problem will be fixed.

I would like to see this re-opened and addressed. Would you accept a patch that
does what I've described?

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nneul at umr dot edu


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-03-18 14:53 -------
>From a quick looking over of the code, this looks like it would be pretty
trivial to fix. 

In connections.c, nscd.c, nscd.h, and nscd_conf.c:

   split 'pwddb' into 'pwddb_name', 'pwddb_uid'
   define two databases instead of one in dbs[]
   use the specific db in serv2db instead of 'pwddb'
   probably also need small mod in invalidate_cache

something similar should probably be put in for hosts and groups, although not
nearly as likely to be a problem for groups. 

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-03-18 17:29 -------
Created an attachment (id=440)
 --> (http://sources.redhat.com/bugzilla/attachment.cgi?id=440&action=view)
Add support for a 'unidirectional' flag in nscd.conf

Adds support for the flag 'unidirectional'. If set to yes, will not load the
get(pw|gr)uid data when triggered via a get(pw|gr)name call.

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-03-18 17:31 -------
I did have one weird symptom which I didn't understand, may be an issue with
nscd, but don't see how it could be an issue with the patch. If I put the 'int
unidirectional' in the struct right after persistent, I consistently got
segfaults when starting nscd. I dont know if there is some sort of
alignment/packing issue or something else weird going on there.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-03-27 17:09 -------
I haven't seen any response to this updated bug report with fix.

Is there a more appropriate place to request that this patch be applied? 

Do you have any thoughts on the patch itself? It seems like a very benign fix to
me that would resolve problems that various people are having.

-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2005-04-29 02:01 -------
There is nothing wrong with the way nscd works.  Your setup is broken if you
have problems.  Don't use nscd if you don't want to change it.  I'm not going to
punish everybody just because some people cannot maintain their systems correctly.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WONTFIX


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[nneul at umr dot edu]

------- Additional Comments From nneul at umr dot edu  2005-04-29 02:08 -------
Subject: Re:  nscd problem with multiple passwd databases

How is a patch that negatively impacts no one other than those wishing
to use it "punishing" anyone? It's not like I even asked for the default
behavior to be changed, just to give the user the option to do it
without having to rebuild all of glibc just to get nscd changed.

-- Nathan

On Fri, 2005-04-29 at 02:01 +0000, drepper at redhat dot com wrote:
> ------- Additional Comments From drepper at redhat dot com  2005-04-29 02:01 -------
> There is nothing wrong with the way nscd works.  Your setup is broken if you
> have problems.  Don't use nscd if you don't want to change it.  I'm not going to
> punish everybody just because some people cannot maintain their systems correctly.
> 


-- 


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug nscd/489] nscd problem with multiple passwd databases

[stian at nixia dot no]

------- Additional Comments From stian at nixia dot no  2005-06-29 12:20 -------
The user/system should not notice if nscd is running or not. nscd is a caching
service, and should not alter how a systems behaves, except a speed-increase
when a cached value is present

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stian at nixia dot no


http://sources.redhat.com/bugzilla/show_bug.cgi?id=489

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.