FS#58262 - [linux-hardened][shadow][glibc] gpasswd: nscd did not terminate normally (signal 11)

Attached to Project: Arch Linux
Opened by Curtis Lee Bolin (curtisleebolin) - Wednesday, 18 April 2018, 21:57 GMT
Last edited by freswa (frederik) - Thursday, 28 September 2023, 13:30 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To David Runge (dvzrv)
Levente Polyak (anthraxx)
freswa (frederik)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
gpasswd fails to add user to group.


Additional info:
* package versions:
* core/shadow 4.5-4
* usr/bin/gpasswd
* core/glibc 2.26-11
* usr/bin/nscd


Steps to reproduce:
$ sudo gpasswd -a lee kvm
Adding user lee to group kvm
gpasswd: nscd did not terminate normally (signal 11)
gpasswd: nscd did not terminate normally (signal 11)
gpasswd: nscd did not terminate normally (signal 11)


Thankfully usermod worked
$ sudo usermod -a -G kvm lee
This task depends upon

Closed by  freswa (frederik)
Thursday, 28 September 2023, 13:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  nscd removed in glibc-2.38-4
Comment by Tommy Schmitt (spinka) - Sunday, 29 April 2018, 14:28 GMT
I've seen same message "gpasswd: nscd did not terminate normally (signal 11)" but "sudo gpasswd -a lee kvm" works successfully. I guess in your case it worked also.
Comment by Curtis Lee Bolin (curtisleebolin) - Monday, 30 April 2018, 14:28 GMT
Tommy, that day I was convinced `gpasswd` wasn't changing `/etc/group`, but today after testing, it does seem to be working even with the signal 11 errors.


$ sudo useradd testuser

$ grep testuser /etc/group
testuser:x:1003:

$ sudo gpasswd -a testuser kvm
Adding user testuser to group kvm
gpasswd: nscd did not terminate normally (signal 11)
gpasswd: nscd did not terminate normally (signal 11)
gpasswd: nscd did not terminate normally (signal 11)

$ grep testuser /etc/group
kvm:x:78:testuser
testuser:x:1003:
Comment by N.T. (NikTo) - Thursday, 04 February 2021, 21:37 GMT
Description:
passwd: nscd did not terminate normally (signal 11)

Package versions:
* core/shadow 4.8.1-4
* usr/bin/passwd
* core/glibc 2.32-5
* usr/bin/nscd

Steps to reproduce:
1. Install Arch Linux (including sudo package) from latest installation image (2021.02.01);
2. Login as root;
3. % useradd -m someuser && passwd someuser && echo 'someuser ALL=(ALL) ALL' > /etc/sudoers.d/01_something && chmod 400 /etc/sudoers.d/01_something
4. Login as someuser;
5. $ sudo passwd -l root
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
Passwd: password expiry information changed.
6. $ logout

After these actions, I can no longer login as a user (and as root). I added a new user using arch-chroot, but he can't login too.

Then I reinstalled the system and repeated the same steps with the same result. Complete lockdown of all.

How do I unblock everyone/someone? I don't want to reinstall the system again.
Comment by N.T. (NikTo) - Thursday, 11 March 2021, 11:55 GMT
Fresh system installation (glibc 2.33-4):

$ sudo passwd -l root
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
Passwd: password expiry information changed.

But I was able to log in. That's progress! :)

nscd is a separate package in Debian (https://packages.debian.org/sid/nscd).
From the package description: "You should install this package only if you use slow services like LDAP, NIS or NIS+".

Is it possible and necessary to separate glibc and nscd in Arch Linux?
Comment by Toolybird (Toolybird) - Thursday, 11 March 2021, 22:03 GMT
The error message comes from shadow pkg.

AFAICT nscd is not enabled by default in Arch. Did you manually enable it? Please show the output of:

systemctl status nscd

FWIW, Fedora are actively deprecating nscd (then planning to remove it entirely) [1]

[1]: https://fedoraproject.org/wiki/Changes/RemoveNSCD
Comment by N.T. (NikTo) - Friday, 12 March 2021, 06:55 GMT
No. I never enabled nscd.service manually.

$ systemctl status nscd
● nscd.service - Name Service Cache Daemon
Loaded: loaded (/usr/lib/systemd/system/nscd.service; disabled; vendor preset: disabled)
Active: inactive (dead)

journalctl doesn't say anything about nscd.

Fedora is already using sssd by default.
Debian does not use nscd and sssd (these packages are not installed) by default.
I don't know how it works in Debian yet.
Comment by freswa (frederik) - Friday, 11 February 2022, 18:52 GMT
Is this still an issue with glibc-2.35-2?
Comment by Vedran Miletić (vedranmiletic) - Sunday, 13 November 2022, 20:27 GMT
  • Field changed: Percent Complete (100% → 0%)
# passwd -d root
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: password changed.

# pacman -Q glibc
glibc 2.36-6
Comment by Toolybird (Toolybird) - Sunday, 13 November 2022, 20:30 GMT
As mentioned previously, this error message is coming from the shadow pkg. There have been lots of shadow updates lately and no glibc updates. I cannot repro this in a VM. Please provide exact steps and conditions to reliably reproduce.
Comment by Vedran Miletić (vedranmiletic) - Sunday, 13 November 2022, 20:41 GMT
Sure. This error happens when using linux-hardened kernel, but not on normal linux kernel.
Comment by David Runge (dvzrv) - Monday, 14 November 2022, 08:58 GMT
@vedranmiletic: I can reproduce this locally.

However, this does not seem to be a problem for passwd in regards to changing/removing the password. The return code is still 0.

It's probably worth reporting this upstream.
Comment by David Runge (dvzrv) - Monday, 14 November 2022, 09:07 GMT
FWIW: We can remove support for nscd in shadow during configure.
As I am personally not using nscd, I don't really know though whether there is a use-case we should be aware of before doing so.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.
Comment by Oleksandr K. (seqfault) - Friday, 08 September 2023, 21:26 GMT
can confirm the bug is still present on linux-hardened 6.4.14.hardened1-1, shadow 4.13-2 and glibc 2.38-3:

$ sudo passwd -l root
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: nscd did not terminate normally (signal 11)
passwd: password changed.
Comment by loqs (loqs) - Saturday, 09 September 2023, 12:48 GMT
@seqfault could you open an upstream bug report if there is not one already? In your use case could nscd be replaced by sssd?
Comment by Oleksandr K. (seqfault) - Saturday, 09 September 2023, 13:19 GMT
@loqs I have no idea what nscd and sssd are, I'm just a regular user, who reported warnings after googling them. also, passwd -l root worked for me
Comment by David Runge (dvzrv) - Wednesday, 20 September 2023, 09:04 GMT
With https://bugs.archlinux.org/task/79736 there's now a ticket open to remove the use of nscd altogether and it is likely to be implemented.
Comment by Oleksandr K. (seqfault) - Wednesday, 20 September 2023, 21:06 GMT
great! no more warnings I hope
Comment by freswa (frederik) - Sunday, 24 September 2023, 13:17 GMT
Please check glibc and shadow in testing

Loading...