Re: NSS Protocol Sanity Check?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: NSS Protocol Sanity Check?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: Patrick <201809-nss-pam-ldapd [at] haller.ws>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: NSS Protocol Sanity Check?
- Date: Sat, 08 Sep 2018 14:55:47 +0200
On Fri, 2018-09-07 at 15:24 +0800, Patrick wrote:
> Running `/usr/bin/groups $GROUP` only returns the primary group, and
> not the supplemental groups.
Note that it is groups $USER: you look up the groups that the specified
user is a member of.
> When strace'd, `groups` appears to be sending the wrong NSS action:
>
> group="patrick_haller"
> strace groups $group 2>&1 | grep -E '(sendto|connect)'
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\351\3\0\0\16\0\0\0patrick_haller", 26, MSG_NOSIGNAL,
> NULL, 0) = 26
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\352\3\0\0f\230\0\0", 12, MSG_NOSIGNAL, NULL, 0) = 12
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\212\23\0\0f\230\0\0", 12, MSG_NOSIGNAL, NULL, 0) = 12
>
> The first two queries are expected: PASSWD_BYNAME, then PASSWD_BYUID.
>
> However, the third is 5002 for a GROUP_BYGID action, when it should
> instead be 5003 for a memberUid query, right?
The GROUP_BYGID call could be used to find the user's primary group
name and GROUP_BYMEMBER is expected to find the groups the user is a
member of.
If you are running nslcd in debug mode, do you not see group/member
requests coming by?
What does your /etc/nsswitch.conf look like?
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
