On Wednesday, May 28th, 2025 at 12:46 PM, Lennart Poettering <mzerq...@0pointer.de> wrote:
> On Mi, 28.05.25 09:43, Alexander Bokovoy (aboko...@redhat.com) wrote: > > > There > > are few issues with userdb API implementation. For example, there is an > > assumption only one responder knows the information about the account > > being requested. In real deployments we have to do group membership > > merges across multiple nss backends. userdb right now fails to provide a > > complete group membership for FreeIPA users, for example. This is not > > unique to FreeIPA, though, it would do the same for any non-static > > backend in a default configuration. > > > That's a misunderstanding. userdb user/group memberships are > implemented via the GetMemberships() IPC call, and of course it's > assumed that multiple backends provide these, and the results of all > backends are combined. After all, it's pretty much the default case > that a regular user for example managed by homed, is part of a > system-specific group (such as "wheel") which is managed via > /etc/passwd. > > In fact, it's even possible to put together a userdb backend that > doesn't provide any user or group records, but does provide membership > relationships for users of other backends. > > When doing NSS emulation nss-systemd understands this: when returning > a group record it will combine a specific userdb group record from one > backend with the results of a matching GetMemberships() of all > backends and return that as one "struct group" NSS record. Or in other > words: .gr_name, .gr_passwd, .gr_gid are initialized from the group > record JSON object, but .gr_mem is initialized from the combination of > the results of all GetMemberships() IPC calls. > > Lennart I understand how it's supposed to work. But the FreeIPA issue... Kind regards, Pramod -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
