Fwd: Re: Bug#121705: libc6: initgroups() in su does not initialize all NIS+ groups

Patrick Ohly Patrick.Ohly at pallas.com
Sat Dec 1 01:57:08 EST 2001


I am writing to this list because I have a problem with
getting NIS+ access in Debian woody working reliably.
I filed a bug against libc regarding this problem in
bugs.debian.org  under the id #121705, without getting
much help from the maintainer there. I hope you can help me
to shed some light onto the problem, be it
misconfiguration or something else.

What I know for sure is that initgroups() does not always
produce the same result when called repeatedly; as a consequence
of that logging into the machine (be it via su or wdm) is
a matter of good luck or stubbornness. I was hoping to replace
Solaris x86 auto clients with Linux; if this problem cannot
be solved then we might be forced to use Windows 2000 instead -
help! ;-)

I have installed the NIS+ packages from http://www.realbodo.de/:
  libpam-unix2 20000127-0
  nisplus-client 1.3-2
  nis-common 0.2
libc6 is version 2.2.4-5. The /etc/nsswitch.conf is attached
below. If further information is required, please let me know.

Ben thinks that initgroups() itself works and that something
else fails, but as I don't know how exactly initgroups() is
implemented I cannot check that. Any ideas what I might look

Does initgroups() handle duplicate definitions of groups? Some
of the NIS+ groups have been defined in the "wrong" range and
now colide with groups in /etc/group. The collisions are no
security risk, so I haven't bothered removing them yet.

-----Forwarded Message-----

From: Patrick Ohly <Patrick.Ohly at pallas.com>
To: Ben Collins <bcollins at debian.org>
Cc: 121705 at bugs.debian.org
Subject: Re: Bug#121705: libc6: initgroups() in su does not initialize all NIS+ groups
Date: 30 Nov 2001 09:52:09 +0100

On Thu, 2001-11-29 at 17:35, Ben Collins wrote:
> On Thu, Nov 29, 2001 at 05:30:33PM +0100, Patrick Ohly wrote:
> > It also fails the same way e.g. when using wdm: I have just tried
> > it, and the second time I was logged in without additional groups.
> > I have only picked su as an example because I had a look at its
> > source, could compile and run it easily and found that initgroups()
> > does not work as expected.

Just to exclude any influence that su or wdm might have I wrote a
short test program, which (if run as root) calls initgroups() and
then prints the ids returned by getgroups(). It's attached.

Running it several times shows the same random failure as su:

sux:/home/pohly# /tmp/testinitgroups pohly
5 groups: 0 116 124 99 133 
sux:/home/pohly# /tmp/testinitgroups pohly
1 groups: 0 
sux:/home/pohly# /tmp/testinitgroups pohly
1 groups: 0 
sux:/home/pohly# /tmp/testinitgroups pohly
1 groups: 0 
sux:/home/pohly# /tmp/testinitgroups pohly
1 groups: 0 
sux:/home/pohly# /tmp/testinitgroups pohly
1 groups: 0 
sux:/home/pohly# /tmp/testinitgroups pohly
5 groups: 0 116 124 99 133 

$ id
uid=1053(pohly) gid=20(pallas)

Of course my test program could be wrong, but to me it still
seems like initgroups() doesn't work reliable.

> Do you have nisplus in /etc/nsswitch.conf? The only way initgroups would
> fail is if it doesn't have the permissions to gain access to the group
> list from the NIS+ server, or if NIS+ is not used for the NSS mechanism.

I have copied the nsswitch.nisplus example config from the
nisplus-client package and only modified the line about automount to
also include nisplus. /etc/nsswitch.conf attached.

Freundliche Gruesse / Best Regards

Patrick Ohly
Software Engineer
//// pallas 
Pallas GmbH / Hermuelheimer Str. 10 / 50321 Bruehl / Germany
Patrick.Ohly at pallas.com / www.pallas.com
Tel +49-2232-1896-30 / Fax +49-2232-1896-29

#include <grp.h>
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>

int main( int argc, char **argv )
    if( argc != 2 ) {
	fprintf( stderr, "Usage: %s <user>\n", argv[0] );
	return 1;

    if( initgroups( argv[1], 0 ) ) {
	perror( "initgroups()" );
    } else {
	gid_t list[20];
	int maxgroups = sizeof(list)/sizeof(list[0]);
	int numgroups;

	numgroups = getgroups( maxgroups, list );
	if( numgroups < 0 ) {
	    perror( "getgroups()" );
	} else {
	    int i;

	    printf( "%d groups: ", numgroups );
	    for( i = 0; i < numgroups && i < maxgroups; i++ ) {
		printf( "%d ", (int)list[i] );
	    printf( "\n" );
	    return 0;
    return 1;

# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Legal entries are:
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the /var/db databases
#	[NOTFOUND=return]	Stop searching if not found so far

passwd:     compat
group:      compat

passwd_compat: nisplus
group_compat: nisplus

hosts:      nisplus files dns

services:   nisplus [NOTFOUND=return] files
networks:   nisplus [NOTFOUND=return] files
protocols:  nisplus [NOTFOUND=return] files
rpc:        nisplus [NOTFOUND=return] files
ethers:     nisplus [NOTFOUND=return] files
netmasks:   nisplus [NOTFOUND=return] files    
netgroup:   nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus
automount:  files nisplus
aliases:    nisplus [NOTFOUND=return] files

More information about the linux-nisplus mailing list