Re: nss_initgroups_ignoreusers ALLLOCAL issue

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: nss_initgroups_ignoreusers ALLLOCAL issue
Date: Tue, 16 May 2017 20:42:18 +0200

On Tue, 2017-05-16 at 13:41 +0200, mh@ow2.org wrote:
> Right. But isn't against Arthur recommendation as per nscd ?
>  (username and ids should be unique) ?

The problem is that many programs assume that the username to uid
mapping is unique (and also the other way around). One of these
applications is nscd.

Let's say you have a user joe in /etc/passwd as

joe:x:1000:100:Joe Example:/home/joe:/bin/bash

and LDAP has the equivalent of

joe:x:1020:100:Joe Example:/home/joe:/bin/bash

In some situations if you have nscd running running the following as
root (this depends on the version of nscd used):

# getent passwd joe
joe:x:1000:100:Joe Example:/home/joe:/bin/bash
# nscd -i passwd
# getent passwd 1020
joe:x:1020:100:Joe Example:/home/joe:/bin/bash
# getent passwd joe
joe:x:1020:100:Joe Example:/home/joe:/bin/bash

You could construct a search filter for use in nslcd.conf that excludes
all local users using something like this:

awk -F":" '{ if ($3 > 1000) print $1 }' /etc/passwd | \
  xargs | \
  sed 's/ /)(uid=/g;s/^/(&(objectClass=posixAccount)(!(|(uid=/;s/$/))))/'

but this is a hack more than anything.

> Notice that there is no really "file created by LDAP/system user":
> Once logged in with a dup account, being LDAP or system credentials,
> you always get the primary UID of the system user ('id' command
> confirms that).

Normal filesystems only store the numeric userids. If you are using NFS
however, I would strongly recommend getting userids in sync between
client and server and absolutely avoid duplicate users. Clearing the
NFS idmapper cache is a real pain (and whether this is at all possible
varies between NFS and kernel versions).

> If the LDAP user is member of some additional ldap posix groups, you
> also get those groups available from the system as well (it's merged
> with local groups); which is rather pleasant btw.

This works more or less the same as with users. You can have LDAP
groups reference local users and the other way around but duplicate
groups probably have the same effect (I don't think group members are
merged for example).

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

Re: nss_initgroups_ignoreusers ALLLOCAL issue, (continued)

Prev by Date: Re: nss_initgroups_ignoreusers ALLLOCAL issue
Next by Date: Need help in integration of pam and ldap using nss-pam-ldapd
Previous by thread: Re: nss_initgroups_ignoreusers ALLLOCAL issue
Next by thread: Need help in integration of pam and ldap using nss-pam-ldapd