Project:Toolchain/Glibc 2.26 porting notes/nsswitch.conf in glibc-2.26

From Gentoo Wiki
Jump to:navigation Jump to:search

TL;DR (the fix)

Make sure the /etc/nsswitch.conf file contains files entry:

Good:

root #cat /etc/nsswitch.conf
...
passwd:      files
shadow:      files
group:       files
...

Also good:

root #cat /etc/nsswitch.conf
...
passwd:      compat files
shadow:      compat files
group:       compat files
...

Bad:

root #cat /etc/nsswitch.conf
...
passwd:      compat
shadow:      compat
group:       compat
...

What is broken

If you have compat database only listed as a service resolver and install glibc-2.26 most programs will fail to resolve users and groups: login, ssh and so on will fail.

One of many manifestations of the problem:

root #emerge --update --deep @world
...
portage: 'portage' user or group missing.
For the defaults, line 1 goes into passwd, and 2 into group.
portage:x:250:250:portage:/var/tmp/portage:/bin/false
portage::250:portage
...

Why the breakage

Details can be seen at bug #627338

glibc-2.26 deprecates obsolete NSL libraries. (in this case libnss_compat.so.2 gone away)

Gentoo happened not to change nsswitch.conf since 2006.

Normally /etc/nsswitch.conf is installed and updated by glibc ebuild when both conditions are met:

  • FEATURES=config-protect-if-modified is set in make.conf
  • nsswitch.conf has no user modifications (kept as installed by glibc)

To be extra cautious glibc ebuild fails as TODO.

To update nsswitch.conf the simplest is to add files entry into every line using compat. Example fix:

root #sed 's/\<compat\>/files compat/g' /etc/nsswitch.conf

But I really, really need the compat functionality!

Well, you can install sys-auth/libnss-compat, which re-adds the functionality. Not really much tested, and not really well-supported so far though.

Note
glibc upstream reversed course in 2.27 and included compat in the default list again. sys-auth/libnss-compat is no longer necessary and only works with glibc-2.26*