http://defect.opensolaris.org/bz/show_bug.cgi?id=12567
--- Comment #18 from amaguire <alan.maguire at sun.com> 2009-11-13 13:18:10 UTC
---
(In reply to comment #17)
> a bit more on the group stuff - startd calls initgroups() with the gid of
> netadm (65 in decimal == 41 in hex). There's a comment above this that says:
>
> 3160 /* Ok if cip->gid == -1 */
> 3161 if (initgroups(cip->pwd.pw_name, cip->gid) != 0) {
>
> ..which may be a bit suspect, since in this case cip->gid == 0x41 (for
> netadm).
>
> We're basically looking up supplemental group membership for the user "netadm"
> including the base gid of the netadm gid on behalf of the refresh method for
> nwamd. The problem is we only stop when we've got NGROUPS_MAX groups, so it
> seems like a call like this is destined to fall back to NIS. We can add
> specific users to the /etc/group entry for the netadm group, but even after
> doing that we seem to fall back to NIS - I'm not sure why.
>
> The (sort of) good news is that this issue seems to be the only one we need to
> address wrt name service issues at least - if we remove the nis entry from the
> group line in nsswitch.conf for the User location, all appears well.
>
> So I think we need to establish
>
> 1) is calling initgroups() with a gid != -1 a bug in startd?
> 2) is there a way to prevent supplemental group lookup falling back to nis?
>
> I'm looking into 1, and if that's a dead end I'll investigate 2.
I've found a way of bypassing the supplemental group lookup - if we explicitly
set the supp_groups property in the method_context for the start/stop/refresh
methods to 'netadm' we bypass this checking, since the code that runs
initgroups() is only executed if the number of supplemental groups is -1
(unset). So I think we need to do the following to stop the NIS lookup hangs in
startd:
1. add project=default to netadm/netcfg users in user_attr
2. add supp_groups astring value set to 'netadm' to the method contexts of nwam
and location:default, since both these run as non-root user, preventing
fallback to NIS to retrieve supplemental group data.
In addition, we should probably make some other changes we've discussed:
3. in do_ns() in net-loc, copy nsswitch.files to nsswitch.conf prior to
disabling active name services
4. if no IP NCUs are up, activate NoNet
...and should investigate excessive refreshes of network/location.
Regarding nis/client going into maintenance, I don't see that anymore - it
happened due to my messing with the stop method and forgetting to set it back
to the original value.
--
Configure bugmail: http://defect.opensolaris.org/bz/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
