Bug#240836: libc6: Duplicated group-id's breaks NFS-access

To: gotom@debian.or.jp
Cc: 240836@bugs.debian.org
Subject: Bug#240836: libc6: Duplicated group-id's breaks NFS-access
From: Anders Boström <anders@netinsight.se>
Date: Mon, 05 Apr 2004 10:00:00 +0200 (CEST)
Message-id: <[🔎] 20040405.100000.95065843.anders@netinsight.se>
Reply-to: Anders Boström <anders@netinsight.se>, 240836@bugs.debian.org
In-reply-to: <[🔎] 8165ciwfcy.wl@omega.webmasters.gr.jp>
References: <20040329.165136.74757731.anders@netinsight.se> <[🔎] 8165ciwfcy.wl@omega.webmasters.gr.jp>

>>>>> "GM" == GOTO Masanori <gotom@debian.or.jp> writes:

 GM> At Mon, 29 Mar 2004 16:51:36 +0200 (CEST),
 GM> Anders Boström wrote:
 >> I recently got problems accessing our NFS-server. Even if I was member
 >> of the right groups was my accesses denied by the server. After some
 >> investigation did I found out that the NFS-requests didn't contain all
 >> groups I am a member of. Also, most of the group-id's was duplicated
 >> in the NFS-requests.
 >> 
 >> NFS has a limitation on the number of groups (16 I think) and as the
 >> groups are duplicated was that limit exceeded, and I was denied
 >> access.

 GM> Yes, NFS has limitation up to 16 groups with basic unix authentication.

 >> The normal system-utilities, like id gives this:
 >> 
 >> >id
 >> uid=1006(anders) gid=100(users) grupper=4(adm),4(adm),7(lp),7(lp),14(sysadmin),20(dialout),24(cdrom),24(cdrom),25(floppy),25(floppy),25(floppy),29(audio),29(audio),40(src),40(src),44(video),44(video),50(staff),50(staff),100(users),101(telnetd),1006(anders),2000(cad),2002(install),2002(install),2017(cvsadmin),10001(linux)
 >> >
 >> 
 >> For an example floppy is listed 3 times. A test-program using
 >> getgroups gives the same result, making it a libc6-problem.
 >> 
 >> My /etc/nsswitch.conf looks like this:
 >> 
 >> group:          files nis compat
 >> 
 >> and floppy exists in both files and NIS.

 GM> So this means that /etc/groups returned floppy entry, but even NIS
 GM> looking up is continuing.  Strange.  Please check where "floppy" group
 GM> is really come from.

I have investigated this, and one entry came from files, one from NIS
and one from compat. If I remove compat is only two floppy-entries
listed. And if I also remove myself from the floppy group in
/etc/groups is only one floppy-entry listed.

So the strange thing is that NIS look up, and compat look up, is
continuing even if floppy already is found.

 GM> BTW, does your /etc/passwd have a entry with starting "+" and
 GM> following ":"?  If so, changing as follows:

 GM> 	group:	compat

Well, I don't use +-entries, so compat should be removed instead.

 >> I don't know if it is OK to return the same group-id several times
 >> from getgroups or not, BUT NFS (and system utilities like id) should
 >> not duplicate group id's.

 GM> The usual NFS implementation does not reject duplicated group ids
 GM> (AUTH_UNIX module only checks each group ids), and IIRC NFS
 GM> specification does not say anything about such ids.

Yes, the NFS-server is not rejecting the requests. The problem is
that groups are left out from the request, due to duplicating of
other groups, making the server respond with permission denied.

 >> This problem is new, older versions of my system did not duplicate the
 >> groups-id's in NFS-requests. I update testing almost every day, and
 >> one month ago didn't the problem exist.

 GM> So I suspect your environment.  Glibc 2.3.2.ds1 series did not touch
 GM> the original codebase these days.

OK, if it is my environment, what can cause this? How do I debug it?

/ Anders

Reply to:

References:
- Bug#240836: libc6: Duplicated group-id's breaks NFS-access
  - From: GOTO Masanori <gotom@debian.or.jp>

Prev by Date: Bug#242122: No weak symbol for res_* on amd64.
Next by Date: Bug#242122: No weak symbol for res_* on amd64.
Previous by thread: Bug#240836: libc6: Duplicated group-id's breaks NFS-access
Next by thread: [PATCH] Fix FTBS for debian-glibc on hppa
Index(es):
- Date
- Thread