Public bug reported: When nslcd drops privileges at startup, it calls setgroups(0, NULL) rather than the expected initgroups("username", gid). This causes nslcd not to be able to read files (such as TLS certificates) if they are owned by one of the supplemental groups specified in the /etc/group file.
If it matters, nscd works as expected by calling getgrouplist() and then the appropriate setgroups() with the group list when it drops privileges. The debug output from nslcd shows this happening: nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(112) done nslcd: DEBUG: setuid(106) done and it appears to do this intentionally in nslcd.c: /* drop all supplemental groups */ if (setgroups(0,NULL)<0) ** Affects: nss-pam-ldapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1020303 Title: nslcd drops supplemental groups when dropping privileges To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1020303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs