Just thought I would share the results of the case I opened with RedHat on this issue.
The short answer - it's a bug, but can be resolved by setting an NIS domain name (anything other than null) with the nisdomainname command. It will be addressed RHEL5.8 and RHEL6.2... The long answer (from the RH case engineer): Hi, I have confirmed that this is a bug, and we have a bugzilla opened for this issue, As per the details from bugzilla, this issue will be addressed in RHEL5.8 and RHEL6.2. A workaround would be setting a nisdomain name. For eg: # nisdomainname <some_name> Then try, # getent passwd. it should work. Here are the bz opened to fix this issue, both the bugzillas are private and you wont be able to see the content. (I'm including the links for a reference, I'll add the bz contents at the bottom). https://bugzilla.redhat.com/show_bug.cgi?id=703345 (RHEL5 BZ) https://bugzilla.redhat.com/show_bug.cgi?id=718057 (RHEL6 BZ) You may add the nisdomainname command to /etc/rc.local till we get an official fix. And here is the description from the bugzilla. ========== We have a customer who is using nss_compat to conditionally include users into /etc/passwd based on netgroup memberships. As compat mode was essentially meant to work with NIS, it requires an nis domain name to be setup. Recall that each member of a netgroup is specified in the following format: (hostname,username,domainname) The NIS domain name for the host also has to be set to the domainname set for users in this triple, using the command 'nisdomainname'. The customer does not set the domainname for any members of the netgroup, their setup is as under: # getent netgroup abc abc ( , xyz, ) ( , pqr, ) (where abc is a netgroup stored on ldap, and included in /etc/passwd with the +@netgroup syntax). The getpwent works if they set the NIS domain name for the host to any random value. The customer's request is that this should work without requiring the NIS domain name for the host to be set. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create an ldap based netgroup, add it to /etc/passwd as described above. 2. getent passwd (this calls getpwent) - this will not return any users from the ldap netgroup. 3. nisdomainname <random_value> 4. getent passwd - this will return netgroup users Actual results: getent passwd does not return any ldap netgroup users Expected results: getent passwd should return the ldap netgroup users =========== Thanks, Kevin From: rhelv5-list-boun...@redhat.com [mailto:rhelv5-list-boun...@redhat.com] On Behalf Of Collins, Kevin [BEELINE] Sent: Thursday, September 08, 2011 2:26 PM To: rhelv5-list@redhat.com Subject: [rhelv5-list] passwd_compat: ldap + getent + netgroup I know this worked previously in Linux, but it has been a while since I have used compat on Linux. I am currently changing our Linux servers to use "passwd_compat: ldap" rather than "passwd: files ldap" due to some recent changes in access requirements. The setup I have in /etc/nsswitch.conf is: passwd_compat: ldap passwd: compat If I include a +@netgroup where user1 is in netgroup and I do 'getent passwd user1' I see the user1 entry from LDAP passwd. If I do 'getent passwd' I do NOT see the user entry. Login as user1 works as expected, and 'id user1' is correct. If I include a +user1 and I do 'getent passwd user1' I see the user1 entry from LDAP passwd. If I do 'getent passwd' I see the user entry. Login as user1 works as expected, and 'id user1' is correct. Why is getent ignoring the netgroup when enumerating the users? By the way, I have also done 'nscd -i passwd' and 'service nscd restart'... Thanks, Kevin
_______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
