public inbox for libc-help@sourceware.org
 help / color / mirror / Atom feed
* Understanding 'initgroups' behavior in nsswitch.conf
@ 2022-02-10  7:38 varun mittal
  2022-02-16 12:28 ` varun mittal
  0 siblings, 1 reply; 2+ messages in thread
From: varun mittal @ 2022-02-10  7:38 UTC (permalink / raw)
  To: libc-help

Hi

Working on a CentOS machine, with GlibC 2.17 I am struggling to find a
configuration which disables group lookup for local users on remote
directories.

Then then I thought maybe initgroups can help but it doesn't seem to work

My nsswitch.conf

passwd:     compat ldap lsass
shadow:     files
group:      files nis ldap lsass
hosts:      files dns nis
protocols:  files
rpc:        files
services:   files
initgroups: files nis ldap lsass

This is the code snippet of glibc internal_getgrouplist function

133       /* For compatibility reason we will continue to look for more
134    entries using the next service even though data has already
135    been found if the nsswitch.conf file contained only a 'groups'
136    line and no 'initgroups' line.  If the latter is available
137    we always respect the status.  This means that the default
138    for successful lookups is to return.  */
139       if ((use_initgroups_entry || status != NSS_STATUS_SUCCESS)
140     && nss_next_action (nip, status) == NSS_ACTION_RETURN)
141    break;

It looks like it should honor the initgroups config, but it doesn't seem
to, reason being the _nss_files_initgroups_dyn function returns
NSS_STATUS_NOTFOUND when the local user has only 1 primary group and no
secondary groups The relevant code snippet from _nss_files_initgroups_dyn is

95       if (res > 0 && grp.gr_gid != group)

Which boils down to

"If user is not part of any secondary group, the group lookup will
always go to other databases, irrespective to initgroups in
nsswitch.conf"

Is my understanding correct ? If yes, any reason why this has been
implemented this way ?

How do I get the desired behavior that local user's group lookup
should never go to remote databases.

In my case, if the remote directory ports are blocked or the remote
directory is slow to respond, the service doing the lookup goes for a
total hang.

Our product ships with default nsswitch.conf and is not configurable
by the end user. I need to have a static nsswitch.conf file with all
the possible db's listed.


Thanks n regards
Mittal

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-02-16 12:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-10  7:38 Understanding 'initgroups' behavior in nsswitch.conf varun mittal
2022-02-16 12:28 ` varun mittal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).