gentent works but "id" and "groups" commands fail with message "failed to get groups for user "

Hello,

I set up libnss-ldap on Linux to get user/group information
from a Windows Active Directory Server.

With getent it all looks fine to me, although I am not sure about
the password field (second field in getent passwd) which is 'x'
for local users and 'ABCD!efgh12345$67890' for ADS users.
Same with getent group, the group password field is 'x' for local
users and '*' for ADS users.

Even though getent output looks fine the
id and groups commands fail for users stored in ADS LDAP:

This is an user on the ADS:
cmd> id adsuser
uid=10004(adsuser) gid=100001(aixgroup)id: failed to get groups for user `adsuser': No such file or directory

cmd> groups adsuser
aixgroupid: failed to get groups for user `adsuser': No such file or directory

This is an local user configured in /etc/passwd /etc/shadow /etc/groups
cmd> id jom
uid=1000(jom) gid=1000(jom) groups=1000(jom),4(adm),20(dialout),24(cdrom),25(floppy)

cmd> groups jom
jom adm dialout cdrom floppy

cmd> getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
... these are coming from ADS:
Administrator:ABCD!efgh12345$67890:10003:10000:Administrator:/home/Administrator:/bin/sh
heinzt:ABCD!efgh12345$67890:10000:10002:Heinz Test:/home/heinzt:/bin/bash
ldap:ABCD!efgh12345$67890:10001:10001:ldap:/home/ldap:/bin/sh
adsuser:ABCD!efgh12345$67890:10004:100001:ADS User:/home/adsuser:/bin/bash

cmd> getent group
root:x:0:
daemon:x:1:
...
jom:x:1000:
... these are comming from ADS
Administratoren:*:10000:
ppiuser:*:99999:heinzt
aixgroup:*:100001:adsuser



This is my configuration:

cmd> cat /etc/nsswitch.conf
passwd:         compat ldap  [notfound=continue]
group:          compat ldap  [notfound=continue]
shadow:         compat ldap  [notfound=continue]

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

cmd> cat /etc/ldap.conf
### debug
debug 256
logdir /var/log/ldap

### connection
uri ldap://10.2.1.70
base dc=av-verlag,dc=de
scope sub
timelimit 30
ssl no
nss_reconnect_tries 3
ldap_version 2
binddn CN=ldap,CN=Users,DC=av-verlag,DC=de
bindpw secret
bind_policy hard
nss_connect_policy persist
nss_paged_results yes

### Mapping

nss_base_passwd dc=av-verlag,dc=de
nss_base_shadow dc=av-verlag,dc=de
nss_base_group dc=av-verlag,dc=de

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos displayName
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute cn sAMAccountName

#nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute uniqueMember msSFU30PosixMember

nss_map_attribute givenname displayName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute gid msSFU30GidNumber

pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
nss_schema rfc2307bis


cmd>cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=av-verlag,dc=de
URI ldap://10.2.1.70

#SIZELIMIT 12
TIMELIMIT 5
#DEREF never


I put further debug information (ldapsearch, strace getent)
here cause it was not possible to get this mailed to the list
http://www.pastebin.ca/raw/950040


Thanks, Jodok

On Thu, 2008-03-20 at 09:42 +0100, jodok-ole.muellers@...
wrote: I ran into this problem with nss-ldapd. It may also affect nss_ldap (I
haven't looked at the code though that this is really the problem).

The GNU glibc docs [1] seem to suggest that if you return
NSS_STATUS_NOTFOUND you should set errno to ENOENT. This however causes
problems with some tools.

Instead if get*ent() does not find any more entries it should just
return NSS_STATUS_NOTFOUND and not touch errno.

[1] http://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html

--
-- arthur - arthur@... - http://ch.tudelft.nl/~arthur --

This may have been fixed in nss_ldap-260:

260     Luke Howard <lukeh@...>

         * patch from Ralf Haferkamp <rhafer@...>:
           only set errno for NSS_TRYAGAIN


-- Luke

On 21/03/2008, at 7:52 PM, Arthur de Jong wrote:
--
www.padl.com | www.fghr.net