Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Thu, Apr 27, 2006 at 10:40:32AM -0400, Jesse W. Hathaway wrote: [...] struct passwd *pw = getpwnam(user); if (pw == NULL) return 0; if (getgrouplist(user, pw-pw_gid, NULL, ng) 0) { groups = (gid_t *) malloc(ng * sizeof (gid_t)); getgrouplist(user, pw-pw_gid, groups, ng); } [...] doing an strace on the above program when searching for a user in /etc/passwd shows ldap being searched, with or without [SUCCESS=return] in nsswitch.conf. The above is not a good example. Do LDAP lookups happen with a single getpwnam() call _only_? If yes, then it is a bug, otherwise it's not. getgrouplist() and initgroups() will _always_ enumerate all NSS group data sources regardless of action statements. It may be unfortunate sometimes due to the generated load, but this is how their semantics are defined. The only solution is not to use LDAP for the group database at all. Changing nsswitch to [UNAVAIL=return] disables ldap lookups for all requests even if the user is not in /etc/passwd. Note that the UNAVAIL status refers only to the generic availability of the service, it has nothing to do with the user being defined or not. That said, files [UNAVAIL=return] ldap should not disable ldap (quite the contrary, it should have basically no effect unless you delete /etc/passwd etc.), so this may need further investigation. Gabor -- - MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Thu, Apr 27, 2006 at 10:40:32AM -0400, Jesse W. Hathaway wrote: [...] struct passwd *pw = getpwnam(user); if (pw == NULL) return 0; if (getgrouplist(user, pw-pw_gid, NULL, ng) 0) { groups = (gid_t *) malloc(ng * sizeof (gid_t)); getgrouplist(user, pw-pw_gid, groups, ng); } [...] doing an strace on the above program when searching for a user in /etc/passwd shows ldap being searched, with or without [SUCCESS=return] in nsswitch.conf. The above is not a good example. Do LDAP lookups happen with a single getpwnam() call _only_? If yes, then it is a bug, otherwise it's not. getgrouplist() and initgroups() will _always_ enumerate all NSS group data sources regardless of action statements. It may be unfortunate sometimes due to the generated load, but this is how their semantics are defined. The only solution is not to use LDAP for the group database at all. If this is the case then why does the man page for nsswitch.conf give the option of specifying [SUCCESS=return] for the group database, when this has no effect on the above functions? I think it should be noted in nsswitch.conf's man page that the entire group list is alwasy searched. Why it it defined that getgrouplist() and initgroups() _always_ enumerate all NSS goups? This can cause problems for system daemons. For instance apache2 does an initgroups every time it spawns a thread, which results in my ldap servers being pounded when I have high load on my webservers. Nscd is a possible solution to the problem, but the version in stable does not cache initgroup requests, and the version in unstable invalidates them prematurely. Having the ability to not search other databases for local name service lookups seems like a valuable function. Changing nsswitch to [UNAVAIL=return] disables ldap lookups for all requests even if the user is not in /etc/passwd. Note that the UNAVAIL status refers only to the generic availability of the service, it has nothing to do with the user being defined or not. That said, files [UNAVAIL=return] ldap should not disable ldap (quite the contrary, it should have basically no effect unless you delete /etc/passwd etc.), so this may need further investigation. Gabor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote: Why it it defined that getgrouplist() and initgroups() _always_ enumerate all NSS goups? Just think about the simple case when an user defined in /etc/passwd is also a member of a group that is only defined in LDAP. getgrouplist() and initgroups() MUST support this. Or an other viewpoint: when enumerating entries neither the SUCCESS nor the NOTFOUND conditions occur until all backends are exhausted, so [SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration. Btw. both the nsswitch.conf man page and the glibc documentation say: The second item in the specification gives the user much finer control on the lookup process. So they only mention the _lookup_ process (i.e. getXXbyYY()), they do not say that action statements would have any effect on enumeration. This can cause problems for system daemons. For instance apache2 does an initgroups every time it spawns a thread, which results in my ldap servers being pounded when I have high load on my webservers. Nscd is a possible solution to the problem, but the version in stable does not cache initgroup requests, and the version in unstable invalidates them prematurely. Having the ability to not search other databases for local name service lookups seems like a valuable function. That is a well-known scenario and the usual advice is do not use LDAP as the group NSS backend. Gabor -- - MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Fri, Apr 28, 2006 at 08:03:39AM -0400, Jesse W. Hathaway wrote: Why it it defined that getgrouplist() and initgroups() _always_ enumerate all NSS goups? Just think about the simple case when an user defined in /etc/passwd is also a member of a group that is only defined in LDAP. getgrouplist() and initgroups() MUST support this. I do understand why this feature is needed. However, the additional feature of having the ability to disable this function is also needed. It is quite common to not have any of the users, used for system daemons, to be included in groups found in network directories. It seems needless to query network directories for system daemons such as apache. Or an other viewpoint: when enumerating entries neither the SUCCESS nor the NOTFOUND conditions occur until all backends are exhausted, so [SUCCESS=return] or [NOTFOUND=return] has no effect on enumeration. Btw. both the nsswitch.conf man page and the glibc documentation say: The second item in the specification gives the user much finer control on the lookup process. So they only mention the _lookup_ process (i.e. getXXbyYY()), they do not say that action statements would have any effect on enumeration. Enumeration is a lookup process, so I still think the man page is unclear, as to what effect the action statement will have in the group database option. This can cause problems for system daemons. For instance apache2 does an initgroups every time it spawns a thread, which results in my ldap servers being pounded when I have high load on my webservers. Nscd is a possible solution to the problem, but the version in stable does not cache initgroup requests, and the version in unstable invalidates them prematurely. Having the ability to not search other databases for local name service lookups seems like a valuable function. That is a well-known scenario and the usual advice is do not use LDAP as the group NSS backend. Given that one of the main features of LDAP and NIS are consistent groups across all machines, I think it would be beneficial to support querying network directories selectively. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Fri, Apr 28, 2006 at 10:51:38AM -0400, Jesse W. Hathaway wrote: I do understand why this feature is needed. However, the additional feature of having the ability to disable this function is also needed. It is quite common to not have any of the users, used for system daemons, to be included in groups found in network directories. It seems needless to query network directories for system daemons such as apache. Yes, in some cases such a feature would be useful, but that feature currently does not exist. Enumeration is a lookup process, so I still think the man page is unclear, as to what effect the action statement will have in the group database option. The documentation might be improved, but the documentation of SUCCESS talks about the wanted entry and the documentation of NOTFOUND talks about the needed value, both terms having no meaning for enumeration. Well, you can interpret those terms as all possible entries; either way you get that SUCCESS and NOTFOUND action rules have no effect on enumeration. Given that one of the main features of LDAP and NIS are consistent groups across all machines, I think it would be beneficial to support querying network directories selectively. I think the reason this was not solved much easier is that it is not a problem for NIS/NIS+. They need much less resources than LDAP. Enumerating over a couple thousand users using NIS+ was not a problem when I last did it; doing the same with LDAP produces quite a significant load. Gabor -- - MTA SZTAKI Computer and Automation Research Institute Hungarian Academy of Sciences, Laboratory of Parallel and Distributed Systems Address : H-1132 Budapest Victor Hugo u. 18-22. Hungary Phone/Fax : +36 1 329-78-64 (secretary) W3: http://www.lpds.sztaki.hu - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
On Fri, Apr 28, 2006 at 10:51:38AM -0400, Jesse W. Hathaway wrote: I do understand why this feature is needed. However, the additional feature of having the ability to disable this function is also needed. It is quite common to not have any of the users, used for system daemons, to be included in groups found in network directories. It seems needless to query network directories for system daemons such as apache. Yes, in some cases such a feature would be useful, but that feature currently does not exist. Enumeration is a lookup process, so I still think the man page is unclear, as to what effect the action statement will have in the group database option. The documentation might be improved, but the documentation of SUCCESS talks about the wanted entry and the documentation of NOTFOUND talks about the needed value, both terms having no meaning for enumeration. Well, you can interpret those terms as all possible entries; either way you get that SUCCESS and NOTFOUND action rules have no effect on enumeration. Given that one of the main features of LDAP and NIS are consistent groups across all machines, I think it would be beneficial to support querying network directories selectively. I think the reason this was not solved much easier is that it is not a problem for NIS/NIS+. They need much less resources than LDAP. Enumerating over a couple thousand users using NIS+ was not a problem when I last did it; doing the same with LDAP produces quite a significant load. This might be the case, that NIS handles the queries faster, however with either directory server, the loss of network connectivity should not impact the system daemons. A laptop is a good example of a system where this situation occurs on a regular basis. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#365048: libc6 does not respect STATUS and ACTION options in nsswitch.conf
Package: libc6 Version: 2.3.6-7 with nsswitch.conf set to passwd: files ldap group: files ldap shadow: files ldap When looking up groups for which a user is a member, libc searches both files and ldap, even if the user is present in files. This is contrary to what is stated in the manpage. success No error occurred and the wanted entry is returned. The default action for this is ‘return’. In addition even if the return is added explicitly: passwd: files [SUCCESS=return] ldap group: files [SUCCESS=return] ldap shadow: files [SUCCESS=return] ldap both files and ldap are still searched: test program: #include stdio.h #include stdlib.h #include string.h #include grp.h #include pwd.h int main(int argc, char *argv[]) { int i, ng = 0; int length; char *user; gid_t *groups = NULL; if(argc != 2) { printf(Usage: grouptest username\n); exit(1); } length = strlen(argv[1]) + 1; user = (char *) malloc(length); if (user == NULL) { printf(Error on malloc); exit(1); } strcpy(user,argv[1]); printf(%s groups:\n,user); struct passwd *pw = getpwnam(user); if (pw == NULL) return 0; if (getgrouplist(user, pw-pw_gid, NULL, ng) 0) { groups = (gid_t *) malloc(ng * sizeof (gid_t)); getgrouplist(user, pw-pw_gid, groups, ng); } for(i = 0; i ng; i++) printf(%d\n, groups[i]); return 0; } doing an strace on the above program when searching for a user in /etc/passwd shows ldap being searched, with or without [SUCCESS=return] in nsswitch.conf. Changing nsswitch to [UNAVAIL=return] disables ldap lookups for all requests even if the user is not in /etc/passwd. -Jesse