[SSSD-users] Re: Issues using NSS_TACPLUS in Fedora 36's replacement of NSCD with SSSD

Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu: > Hi all, > I am working on a system which does TACACS+ authentication of users with > pam_tacplus and nss_tacplus libraries > nss_tacplus: https://github.com/benschumacher/nss_tacplus > pam_tacplus: https://github.com/kravietz/pam_tacplus > > This solution relied on NSCD to be running, since the nss_tacplus only > implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries > in nscd. It was working fine until fedora removed NSCD from glibc in FC36 ( > https://fedoraproject.org/wiki/Changes/RemoveNSCD) > > The above write up indicates that SSSD could be used to cover all cacheing > requirements that was previously provided by NSCD. However I am unable to > configure SSSD for my use case. > > When I tried to link the id_provider as proxy and the proxy_lib_name as > tacplus, sssd fails to come up. If fails with this error: > > > (2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010): > Library 'libnss_tacplus.so.2' did not provide mandatory symbol > 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol: > _nss_tacplus_getpwuid_r. Hi, it would, of course be possible to make getpwuid_r not mandatory in proxy_load_nss_symbols(). But I wonder if you know the reason why this is not implemented in libnss_tacplus.so.2?

I'm asking because to work properly this requires that the user must be looked up by name first. If e.g. you call 'ls -al /home' you would only see the UIDs of those users resolved which where looked up by name before and for all other home directories only the UID is displayed which at least seems unexpected if not a bad user experience.