getpwent lookups to the ldap backend fail when using nss_compat

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 4/5/6
  • ldap backend using nss_compat mode and netgroups

Issue

  • 'getent passwd' only retrieves local users on the server when we use 'compat' in nsswitch.conf

    • Used the following entries in /etc/nsswitch.conf file.

      passwd_compat: ldap
      passwd: compat
      
  • If a +@netgroup is included in /etc/passwd file, where user1 is in netgroup and a 'getent passwd user1' shows user1 entry from LDAP, However the user is not listed if 'getent passwd' is used(enumeration does not work).

Login as user1 works as expected, and 'id user1' is correct.

  • If +user1 is included in /etc/passwd file and do 'getent passwd user1' the user is listed also the 'getent passwd' shows the user entry(enumeration works correctly).

Additionally, getent stops processing entries in /etc/passwd once it hits a '+@'. For example, if passwd file contains:

+user2
+user3
+@netgroup
+user4

then user2 and user3 will be resolved but user4 will not, and if the entry re-arranged as follows,

+user4
+@netgroup
+user2
+user3

then user4 will be resolved but user2 and user3 will not.

Why is getent ignoring the netgroup when enumerating the users?

Resolution

Red Hat Enterprise Linux 6

Update to glibc 2.12-1.47.el6 (from RHSA-2011-1526) or later for this change:

>
> BZ#718057https://bugzilla.redhat.com/show_bug.cgi?id=718057
>

>
>

>                          The getpwent() lookups to LDAP (Lightweight Directory Access Protocol) did not return any netgroup users if the NIS (Network Information Service) domain for individual users was not defined in /etc/passwd. This happened when the nss_compat mode was set as the mode was primarily intended for use with NIS. With this update, getpwent returns LDAP netgroup users even if the users have no NIS domain defined.                     
>
>
>

>

Workaround

A workaround would be setting nisdomain name(a random name) at the moment, the plan is to include a permanent fix in next minor releases of RHEL5 (RHEL5.8). Once the fix is available enumeration would work without requiring the NIS domain name for the host to be set.

For example:

# nisdomainname=example.com

Root Cause

Compat mode was essentially meant to work with NIS, currently it requires an nis domain name to be setup untill the fix is released in RHEL5/6, There are no plans to release an official fix in RHEL4, RHEL4 users have to continue using the workaround mentioned above.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments