On Wednesday, 28 May 2025 15:51:27 CEST Alexander Bokovoy wrote:
> On Срд, 28 мая 2025, Lennart Poettering wrote:
>
> >On Mi, 28.05.25 12:34, Alexander Bokovoy (aboko...@redhat.com) wrote:
> >
> >
> >> > a group record it will combine a specific userdb group record from one
> >> > backend with the results of a matching GetMemberships() of *all*
> >> > backends and return that as one "struct group" NSS record. Or in other
> >> > words: .gr_name, .gr_passwd, .gr_gid are initialized from the group
> >> > record JSON object, but .gr_mem is initialized from the combination of
> >> > the results of all GetMemberships() IPC calls.
> >>
> >>
> >>
> >> That was my expectation as well, but the result you see in my email is
> >> what I get on Fedora enrolled into IPA.
> >>
> >>
> >>
> >> In addition to that, `getent -s systemd initgroups abokovoy` does not
> >> return
any group membership at all:
> >>
> >>
> >>
> >> $ strace -f -s 1024 -e trace=%net getent -s systemd initgroups abokovoy
> >> ...
> >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
> >> connect(4, {sa_family=AF_UNIX,
> >> sun_path="/run/systemd/userdb/io.systemd.DynamicUser"}, 45) = 0
> >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 7
> >> connect(7, {sa_family=AF_UNIX,
> >> sun_path="/run/systemd/userdb/io.systemd.NamespaceResource"}, 51) = 0
> >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 8
> >> connect(8, {sa_family=AF_UNIX,
> >> sun_path="/run/systemd/userdb/io.systemd.DropIn"}, 40) = 0
> >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 9
> >> connect(9, {sa_family=AF_UNIX,
> >> sun_path="/run/systemd/userdb/io.systemd.Home"}, 38) = 0
> >> socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 10
> >> connect(10, {sa_family=AF_UNIX,
> >> sun_path="/run/systemd/userdb/io.systemd.Machine"}, 41) = 0
>
> >
> >Note sure I follow? This trace shows only systemd's own five userdb
> >implementations, none provided by sssd? And you used "-s systemd" on
> >the getent cmdline, hence you prohibit NSS to ever query anything else
> >but systemd's userdb.
>
>
> I limited communication to what is not working.
>
>
> >
> >hence of course you are not getting any sssd records, because you
> >don't have the userdb socket for it around, and you don't want the NSS
> >logic to talk to anything but userbd either?
>
>
> I think you are missing my point, indeed. What I am trying to say is that
>
> $ userdbctl groups-of-user --with-dropin=yes --multiplexer=yes
> --with-nss=yes abokovoy
No memberships.
>
> is not expected behavior.
>
> Regardless what I try, userdbctl cannot see groups that I otherwise a
> member of via user lookup. This makes userdb API useless in the context
> I have and I want to understand what is not working here. Are you
> implying that something is incorrect in my usage of userdb API?
I think for this to be working correctly, sssd would need to provide a varlink
interface.
Did you try with winbind (with varlink support) and /etc/userdb files? Either
there is a bug or only available with varlink interfaces and not legacy groups
via nsswitch.
> On the other hand,
>
> $ userdbctl users-in-group admins
> USER GROUP
> abokovoy admins
> admin admins
>
> 2 memberships listed.
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
