From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) by sourceware.org (Postfix) with ESMTPS id A053D3858D1E for ; Thu, 10 Feb 2022 07:38:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A053D3858D1E Received: by mail-yb1-xb2d.google.com with SMTP id m6so12868002ybc.9 for ; Wed, 09 Feb 2022 23:38:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0lOkhVEy0t9qYfuzIWBmF8/NTLcqjUvXG57FtlgRQ0w=; b=e17fPLVHZAK48ZcLaRAJL8YQTI/2Wc+kT/dPA7hHwiE4TpC02F3/7HxrcT+Mgy53D4 KjwLk72vJNjItA4sq2CXYqjoTPs3F42DcEEXGfY+DPRlJSOiP3FvzLNzM6NzJaiz6XHh jxhTgcP+dZ+5mlFc9X76MqRvjhuqCgP1app7gmZbS36Ew5aAxMYMjQ/w3uhWF6MgCd95 8MvAS02JO077Zj22CKtLXAsQKUuQ1sE+V1UP7OrjJ14xpXp822KBU6nJlCXFaDjOlMid lpszL8Vr3j3LptdQVMwMuqOfBTddDfJQydNFOIbY4cGWhae4QgNuxZXiNV+O+TrxKw6J xw6w== X-Gm-Message-State: AOAM5304wvwa245z6XIhmOZKPDfCCEK9prBN/kJI1FHoC1JqGjF3eG7f igWMlXsgUGE0gzmRhBR5FHDGWBf0+SY3kpUFfUF5ADgKwv4= X-Google-Smtp-Source: ABdhPJwu6P7MiPWXejcqp3UAay/b+YdjSwK7skTY+y1fAt9HsCV87RISl3qrYaZEgGzp5zm689OcLEVY7oULQJeu1/Y= X-Received: by 2002:a25:900e:: with SMTP id s14mr5525992ybl.338.1644478737849; Wed, 09 Feb 2022 23:38:57 -0800 (PST) MIME-Version: 1.0 From: varun mittal Date: Thu, 10 Feb 2022 13:08:42 +0530 Message-ID: Subject: Understanding 'initgroups' behavior in nsswitch.conf To: libc-help@sourceware.org X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_KAM_HTML_FONT_INVALID, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: libc-help@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-help mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2022 07:39:00 -0000 Hi Working on a CentOS machine, with GlibC 2.17 I am struggling to find a configuration which disables group lookup for local users on remote directories. Then then I thought maybe initgroups can help but it doesn't seem to work My nsswitch.conf passwd: compat ldap lsass shadow: files group: files nis ldap lsass hosts: files dns nis protocols: files rpc: files services: files initgroups: files nis ldap lsass This is the code snippet of glibc internal_getgrouplist function 133 /* For compatibility reason we will continue to look for more 134 entries using the next service even though data has already 135 been found if the nsswitch.conf file contained only a 'groups' 136 line and no 'initgroups' line. If the latter is available 137 we always respect the status. This means that the default 138 for successful lookups is to return. */ 139 if ((use_initgroups_entry || status != NSS_STATUS_SUCCESS) 140 && nss_next_action (nip, status) == NSS_ACTION_RETURN) 141 break; It looks like it should honor the initgroups config, but it doesn't seem to, reason being the _nss_files_initgroups_dyn function returns NSS_STATUS_NOTFOUND when the local user has only 1 primary group and no secondary groups The relevant code snippet from _nss_files_initgroups_dyn is 95 if (res > 0 && grp.gr_gid != group) Which boils down to "If user is not part of any secondary group, the group lookup will always go to other databases, irrespective to initgroups in nsswitch.conf" Is my understanding correct ? If yes, any reason why this has been implemented this way ? How do I get the desired behavior that local user's group lookup should never go to remote databases. In my case, if the remote directory ports are blocked or the remote directory is slow to respond, the service doing the lookup goes for a total hang. Our product ships with default nsswitch.conf and is not configurable by the end user. I need to have a static nsswitch.conf file with all the possible db's listed. Thanks n regards Mittal