On Tue, 2012-07-03 at 23:56 +0200, Jan Engelhardt wrote:
> On Tuesday 2012-07-03 14:20, Stephen Gallagher wrote:
> >> The version I am on uses glibc-2.15-725b8ee08aff.tar.xz as source.
> >> This tarball ships an nsswitch.conf with the questionable initgroups:
> >> line in its default nsswitch.conf (so I am in fact on a susceptible
> >> version).
> >> However, openSUSE never ships that and instead its own nsswitch.conf,
> >> so I never have had any initgroups: line and don't do so to this day.
> >> So all commands I executed already were without initgroups:.
> >
> >Just to rule out the possibility that openSUSE's internal default was
> >modified to behave the way the new initgroups line does, can you set
> >
> >initgroups: files [SUCCESS=continue] sss
> >
> >explicitly and try that?
>
> Sigh. sssd problems are so hard to reproducible.
>
> v-sfac:/home/jengelh # rm -Rf /var/lib/sss/{db,mc}/*; rcsssd restart
> redirecting to systemctl
> v-sfac:/home/jengelh # id jengelh
> uid=25121(jengelh) gid=100(users) groups=100(users),33(video)
> v-sfac:/home/jengelh # getent group 31327
> rdesktop:*:31327:jengelh,fzapf,mmaus,mkromer
> (^ jengelh was not part of 31327 before...)
> v-sfac:/home/jengelh # id jengelh
> uid=25121(jengelh) gid=100(users) groups=100(users),33(video)
>
>
> After adding the nsswitch.conf line:
>
>
> v-sfac:/home/jengelh # rm -Rf /var/lib/sss/{db,mc}/*; rcsssd restart
> redirecting to systemctl
> v-sfac:/home/jengelh # id jengelh
> uid=25121(jengelh) gid=100(users) groups=100(users),33(video)
> v-sfac:/home/jengelh # getent group 31327
> rdesktop:*:31327:jengelh,fzapf,mmaus,mkromer
> v-sfac:/home/jengelh # id jengelh
> uid=25121(jengelh) gid=100(users) groups=100(users),33(video),31327(rdesktop)
Hmm, looks like something might be up with the nested group processing
of RFC2307bis servers. There was only one patch in 1.8.4 that touched
nested processing[1], so that should narrow down the search.
Can you please do the following?
1) Add debug_level = 8 to the [domain/DOMAINNAME] section of sssd
2) rm -Rf /var/lib/sss/{db,mc}/*; rcsssd restart
3) id -G jengelh
4) Send us the (sanitized if needed) /var/log/sssd/sssd_DOMAINNAME.log
of that 'id -G' (please use the -G, otherwise the log will be full of
group lookups as well, and what's happening here appears to be related
only to initgroups())
[1] LDAP nested groups: Do not process callback with _post deep in the
nested structure - 6efb62b8b94405cfd0afecbf2d04985b6f44419b -
https://fedorahosted.org/sssd/ticket/1343
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
