Some group names aren't being resolved

33 views
Skip to first unread message

Jonathan van der Watt

unread,
Apr 15, 2020, 7:33:04 PM4/15/20
to nsscache-discuss
Hello,

We're testing nsscache version 0.39 and have noticed something odd. Some group names aren't being resolved by /usr/bin/id after updating the cache (I've removed all the working group names from the output):

$ id user1
uid=xxxxx(user1) gid=xxxxx(user1) groups=xxxxx(user1),...(),...(),3000010964,3000011110,3000011308,3000011381,3000011416,3000011705,3000012176,3000012290,3000012334,3000012416,3000012857,3000012882,3000012984,3000013406,3000013411,3000013413,3000013414,3000013437,3000013666,3000013713,3000013824,3000013829,3000014019,3000014436,3000014537,3000014762,3000014932


 However, doing the following makes the group names reappear (for ease of reading, I've removed some of the above info. Just know that the names for all the above mentioned GIDs are being resolved correctly):

$ touch /etc/group.cache
$ id user1
uid=xxxxx(user1) gid=xxxxx(user1) groups=xxxxx(user1),...(),...(),3000010964(groupFoo),3000011110(groupBar)...

Updating the cache breaks things again. 

Here's a copy of the contents of /etc/nsscache.conf:

[DEFAULT]
source = ldap
cache = files
maps = passwd, group, shadow
ldap_uri = ldaps://ldap.bar.baz
ldap_base = ou=foo,dc=bar,dc=baz
ldap_bind_dn = uid=nsscache,ou=users,ou=foo,dc=bar,dc=baz
ldap_bind_password = xxxxxxxxxxxx
ldap_filter = (&(shadowExpire=0)(objectClass=posixAccount))
ldap_scope = sub
ldap_tls_require_cert = demand
ldap_tls_cacertfile = /etc/ssl/certs/ca-certificates.crt
timestamp_dir = /var/lib/nsscache
files_dir = /etc
files_cache_filename_suffix = cache
ldap_rfc2307bis = 1
ldap_nested_groups = 1

[group]
ldap_base = ou=groups,ou=foo,dc=bar,dc=baz
ldap_filter = (objectClass=posixGroup)

[suffix]
prefix = ""
suffix = ""

Package versions:

$ dpkg -l nsscache libnss-cache
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                              Version                               Architecture                          Description
+++-=================================================================-=====================================-=====================================-=======================================================================================================================================
ii  libnss-cache:amd64                                                0.17-1                                amd64                                 NSS module for using nsscache-generated files
ii  nsscache                                                          0.39-2ubuntu1                         all                                   asynchronously synchronise local NSS databases with remote directory services 

nsswitch.conf is configured as follows:

 # /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files cache
group:          files cache
shadow:         files cache

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files

Has anyone perhaps noticed similar issues?  

Jamie Wilkinson

unread,
Apr 20, 2020, 8:30:24 PM4/20/20
to nsscache...@googlegroups.com
Do you have a .idx file next to the cache files?  nsscache generates an index to help libnss-cache seek to the correct locations faster.  If the index has an older timestamp, then the indexes are ignored.  So I think there's a bug in the nsscache index generation.

--
You received this message because you are subscribed to the Google Groups "nsscache-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nsscache-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nsscache-discuss/d45ca2c7-885f-4c69-8c96-70fb991a1250%40googlegroups.com.

Jonathan van der Watt

unread,
Apr 22, 2020, 5:08:16 AM4/22/20
to nsscache-discuss
Thanks for getting back to me. I think we may have found the issue: our GIDs fall out of the signed integer range of [-2147473648 to 2147483647]. We changed the GID of an affected group to fall within the range and it worked just fine. 
To unsubscribe from this group and stop receiving emails from it, send an email to nsscache...@googlegroups.com.

Jamie Wilkinson

unread,
Apr 26, 2020, 11:24:03 PM4/26/20
to nsscache...@googlegroups.com
Oh dear.  Can you tell me if the GID was correct in the cache file?

To unsubscribe from this group and stop receiving emails from it, send an email to nsscache-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nsscache-discuss/937d472d-d756-48c8-aa24-d335b9f50303%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages