gdm does not obey NIS settings for user groups

I had a similar issue, only that it also applied to ssh for me.

can you try to edit /etc/nsswitch.conf
to have
group: compat nis
(instead of just "group: compat")

and check if you have in /etc/group a line containing
+:::

The issue doesn't really seem to be a gdm one

do you get the same issue if you log locally on a vt or using an another login manager than gdm there?

bug on: ssh, gdm
no bug on: su, login(tty1), id $USERNAME

so probably no gdm issue, but in something that is used by both gdm and sshd. maybe pam?

Now I tried NIS on a current lucid VirtualBox install and found ssh to be working there right away and only gdm being broken.
When capturing via tcpdump the YPSERV communication I noticed many identical queries for passwd.byname so I tried on both systems: aptitude install nscd .
What is interesting is that running nscd helped with the ssh problem, but did not help with the gdm problem. So there could still be two different issues there.
Also worth noting: running nscd reproducably breaks NIS-groups on console(tty) login, su and ssh-login, even with the nsswitch.conf work-around - but only on the VirtualBox system.

special setup needed to reproduce:

# must have NIS server (ours is on ...0.240 version 3.17-17 from debian/lenny/i686)
aptitude install nis
echo ypserver 192.168.0.240 > /etc/yp.conf
echo +:::::: >> /etc/passwd
echo +::: >> /etc/group
/etc/init.d/nis restart

The nscd problems appear to have only been caching isues.
touch /etc/groups helped there. The underlying NIS-group bug with gdm remains, though.

There is a forum post on ubuntuforums where two other people are also affected by this: http://ubuntuforums.org/showthread.php?p=9230407

I started the ubuntuforums thread (http://ubuntuforums.org/showthread.php?p=9230407). A possible fix to the SSH problem is to edit /etc/nsswitch.conf:

group: compat nis
(instead of)
group: compat

As suggested by Bernhard M. (post #2). I fixed the SSH servers with this method, but I don't know if it works for GDM issue.

might this have a similar cause as https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/423252 ? As that one also mentions nss.
BJ: for me the workaround also helped with GDM.

I had the same problem. Editing /etc/nsswitch.conf as suggested above fixed the problem when login in through GDM. Thanks!

User liesl is in NIS group aimsadmrw, but shed does not get permissions with normal
login. However after either ssh localhost or su - liesl she does have the necessary group
permissions.

On lucid 64bit, LDAP client for passwords, NIS client for groups, NFS/autofs mounted /home.
ii nis 3.17-31 clients and daemons for the Network Informat

liesl@muizenberg:~$ grep 192 /etc/yp.conf
ypserver 192.168.42.2
liesl@muizenberg:~$ grep nis /etc/nsswitch.conf
group: compat nis
netgroup: nis
liesl@muizenberg:~$ grep liesl /etc/security/group.conf
* ;:0 ;liesl ;Al0000-2400 ;aimsadmr,aimsadmrw
liesl@muizenberg:~$ grep group /etc/pam.d/*|grep -v \#
/etc/pam.d/common-auth:auth optional pam_group.so
/etc/pam.d/gdm:auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
/etc/pam.d/gdm:auth optional pam_group.so
/etc/pam.d/login:auth optional pam_group.so
liesl@muizenberg:~$ tail -1 /etc/group
+:::
liesl@muizenberg:~$ ypcat group|grep aims
aimsadmr:x:20003:jan,lynne,ike,fjwh,gudrun,aeeda,barrie,liesl,bwg,asharma
aimsadrw2:x:20005:lynne,aeeda
aimsadmrw:x:20004:liesl,aeeda # <-- liesl in group in question.
aimsr:x:900:jan,lynne,ike,fjwh,gudrun,aeeda,bwg,asharma

NOTE GROUP PERMISSIONS IN STRAIGHT GDM LOGIN FAILS; BUT AFTER SSH IT WORKS; AFTER SU - USER IT WORKS!

liesl@seychelles:/var/autofs/misc/home/liesl$ groups # WHY DOES IT SHOW SO MANY COPIES?
staff2009 adm adm cdrom cdrom floppy floppy audio audio video video plugdev plugdev aimsadmr aimsadmr aimsadmr aimsadmrw aimsadmrw aimsadmrw
liesl@seychelles:/var/autofs/misc/home/liesl$ id
uid=1498(liesl) gid=509(staff2009) groups=4(adm),4(adm),24(cdrom),24(cdrom),25(floppy),25(floppy),29(audio),29(audio),44(video),44(video),46(plugdev),46(plugdev),509(staff2009),20003(aimsadmr),20003(aimsadmr),20003(aimsadmr),20004(aimsadmrw),20004(aimsadmrw),20004(aimsadmrw)
liesl@seychelles:/var/autofs/misc/home/liesl$ touch /home/aeeda/Desktop/Visitors_Overview_2007.ods
touch: cannot touch `/home/aeeda/Desktop/Visitors_Overview_2007.ods': Permission denied # ARGH
liesl@seychelles:/var/autofs/misc/home/liesl$ ssh liesl@localhost # VIA SSH
liesl@localhost's password:
Linux seychelles 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 05:14:15 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS
liesl@seychelles:~$ groups
staff2009 aimsadmr aimsadmrw
liesl@seychelles:~$ id
uid=1498(liesl) gid=509(staff2009) groups=509(staff2009),20003(aimsadmr),20004(aimsadmrw)
liesl@seychelles:~$ touch /home/aeeda/Desktop/Visitors_Overview_2007.ods # \o/
liesl@seychelles:~$ logout
Connection to localhost closed.
liesl@seychelles:/var/autofs/misc/home/liesl$ touch /home/aeeda/Desktop/Visitors_Overview_2007.ods # :\
touch: cannot touch `/home/aeeda/Desktop/Visitors_Overview_2007.ods': Permission denied
liesl@seychelles:/var/autofs/misc/home/liesl$ su - liesl
Password:
liesl@seychelles:~$ touch /home/aeeda/Desktop/Visitors_Overview_2007.ods # \o/
liesl@seychelles:~$

wtf?

Probably unrelated but mentioned here for completeness.

I thought adding these were unecessary, plus they do not fix the problem:
auth optional pam_group.so# to gdm-autologin
session optional pam_group.so #to comm...

Just to confirm this problem is specific to lucid.
The previous desktop images were jaunty, and I have just tested
that this problem does not exist on the jaunty client!

On the jaunty install (no trailing line in /etc/group, no gdm:optional pam_group.so line.)

liesl@senegal:~$ grep 192 /etc/yp.conf
ypserver 192.168.42.2
liesl@senegal:~$ grep nis /etc/nsswitch.conf
group: compat nis
netgroup: nis
liesl@senegal:~$ grep liesl /etc/security/group.conf
* ;:0 ;liesl ;Al0000-2400 ;aimsadmr,aimsadmrw
liesl@senegal:~$ grep group /etc/pam.d/*|grep -v \#
/etc/pam.d/common-auth:auth optional pam_group.so
/etc/pam.d/login:auth optional pam_group.so
liesl@senegal:~$ grep + /etc/group
liesl@senegal:~$ grep + /etc/passwd
liesl@senegal:~$ ypcat group|grep aims
aimsadmr:x:20003:jan,lynne,ike,fjwh,gudrun,aeeda,barrie,liesl,bwg,asharma
aimsadrw2:x:20005:lynne,aeeda
aimsadmrw:x:20004:liesl,aeeda
aimsr:x:900:jan,lynne,ike,fjwh,gudrun,aeeda,bwg,asharma
liesl@senegal:~$ iesl@senegal:~$ groups
staff2009 aimsadmr aimsadmrw
liesl@senegal:~$ id
uid=1498(liesl) gid=509(staff2009) groups=509(staff2009),20003(aimsadmr),20004(aimsadmrw)
liesl@senegal:~$ touch /home/aeeda/Desktop/Visitors_Overview_2007.ods

So it is not server side.

Adding the optional pam_group.so line to /etc/pam.d/gdm (as I have on lucid) to the
jaunty machine did not reproduce the problem.

It looks as if REMOVING the line "auth optional pam_group.so" from the lucid
client FIXES this. Is there something wrong with that syntax?

To clarify:
It looks as if REMOVING the line "auth optional pam_group.so" from the lucid
client FIXES this. Is there something wrong with that syntax?

Removing the line from /etc/pam.d/gdm.

It is still in common-auth and login.

I can confirm that this is still an issue in Lucid. This was not an issue with Hardy.

Setting "group: files nis" in /etc/nsswitch.conf causes all of my NIS groups to show up. Setting this to compat causes one of the NIS groups to go away. I'm not sure why only one of the groups goes away. Perhaps something with pam_group.so is only allowing one group to be passed in through NIS to SSH clients? This is a server, so I can't test GDM. All of my groups show up if I log in on the console.

This doesnt apear to be a NIS issue either.

chuck

See also https://bugzilla.novell.com/show_bug.cgi?id=623098 (claims to be fixed).

This is no more a supported version now