getpwent cannot enumerate users from netgroups with libnss_compat
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
This is on 9.04, but I suspect it applies to all versions.
I am using LDAP user authentication, but want to restrict access by netgroup. However, when I use netgroups, getent passwd no longer lists all of my users.
'getent passwd' does not list netgroup members when added to password file like this:
+@netgroup:x:::::
If I do 'getent passwd user' and the user is a member of the group, it does work, though. They can even login. So the user is there, it just does not get listed.
If a user is added individually, it does get listed.
+user:x:::::
However, when it hits a +@group line, it stops processing /etc/passwd, so any users listed after the netgroup do not get displayed, either. The accounts still work, though.
So, if my /etc/passwd looked like this, getent passwd would list all local users except me, and not include any members of the "admins" netgroup, either:
root:x:
[...]
sshd:x:
+@admins:x:::::
rws:x:1000:
These are the relevant lines from my nsswitch.conf
passwd: compat
group: files ldap
shadow: compat
passwd_compat: ldap
shadow_compat: ldap
I get the same behavior on RedHat, too.
Solaris systems properly list the members. So, there is now officially one thing our Solaris systems do better than our Linux systems with regard to LDAP authentication.