NSS Protocol Sanity Check?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Patrick <201809-nss-pam-ldapd [at] haller.ws>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: NSS Protocol Sanity Check?
Date: Fri, 7 Sep 2018 15:24:39 +0800

Hi all,

Running `/usr/bin/groups $GROUP` only returns the primary group, and not
the supplemental groups.

When strace'd, `groups` appears to be sending the wrong NSS action:

group="patrick_haller"
strace groups $group 2>&1 | grep -E '(sendto|connect)'
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
sendto(3, "\1\0\0\0\351\3\0\0\16\0\0\0patrick_haller", 26, MSG_NOSIGNAL, NULL, 
0) = 26
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
sendto(3, "\1\0\0\0\352\3\0\0f\230\0\0", 12, MSG_NOSIGNAL, NULL, 0) = 12
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
sendto(3, "\1\0\0\0\212\23\0\0f\230\0\0", 12, MSG_NOSIGNAL, NULL, 0) = 12

The first two queries are expected: PASSWD_BYNAME, then PASSWD_BYUID.

However, the third is 5002 for a GROUP_BYGID action, when it should
instead be 5003 for a memberUid query, right?

Thanks!

### NOTES

1) This is on CentOS 7 WITHOUT nscd running, and with
nss-pam-ldapd-0.8.13-16.el7.x86_64 and coreutils-8.22-21.el7.x86_64

2) nss-pam-ldapd is known to be working correctly because a) the following
python script will return the correct list of groups.


#!/bin/env python2
import socket, os, struct, string, sys
NSLCD_VERSION = 1
NSLCD_ACTION_GROUP_BYMEMBER = 5003
NSLCD_SOCKET = '/var/run/nslcd/socket'
group = sys.argv[1]

conn = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
conn.connect(NSLCD_SOCKET)
_int32 = struct.Struct('i')
write_int32 = lambda x: conn.send(_int32.pack(x))
write_string = lambda x: write_int32(len(x)) and conn.send(x)
write_int32(NSLCD_VERSION)
write_int32(NSLCD_ACTION_GROUP_BYMEMBER)
write_string(group)
resp = ''.join(list(map(conn.recv, [ 1024 for x in range(10) ])))
groups = resp.split('*')
groups = [ x[16:] for x in groups if len(x) > 16]
name = lambda x: x[0 : x.index(chr(0x1)) ]
print([ name(x) for x in groups ])


-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

NSS Protocol Sanity Check?, Patrick

Re: NSS Protocol Sanity Check?, Arthur de Jong
- Re: NSS Protocol Sanity Check?, Patrick

Prev by Date: Re: Why simple bind to LDAP(AD) without anonymous bind requires binddn and bindpw?
Next by Date: pid formatted incorrectly in debug message (wrong printf format?)
Previous by thread: Re: Why simple bind to LDAP(AD) without anonymous bind requires binddn and bindpw?
Next by thread: Re: NSS Protocol Sanity Check?