Bug#846944: Installing libnss-resolve before libnss-mdns breaks mDNS name resolution

Michael Biebl email at michaelbiebl.de
Thu Dec 8 14:30:53 GMT 2016 

Am 08.12.2016 um 15:20 schrieb Michael Biebl:

> Installing libnss-mdns, then libnss-resolve leads to
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
> 
> Installing libnss-resolve, then libnss-mdns leads to
> 
> hosts:          files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] dns
> 
> 
> So maybe the "obvious" fix is to change libnss-mdns to always insert itself
> before dns *and* resolve? On the other hand, it's quite ugly that mdns needs to
> be taught to cope with this new nss module.
> 
> Martin, Simon, what's your take on this?
> With multiple packages mangling nsswitch.conf, this feels like it's becoming very brittle
> and maybe we need a proper API like pam-auth-update.

Some more thoughts: we have quite a few libnss-* packages
> # apt-cache search --names-only libnss-
> libnss-db - NSS-Modul für die Verwendung der Berkeley-Datenbank als Namensdienst
> libnss-ldap - NSS-Modul für den Einsatz von LDAP als Namensdienst
> libnss-ldapd - NSS-Modul für den Einsatz von LDAP als Namensdienst
> libnss-lwres - NSS-Modul um bind9-lwres als Namensdienst zu nutzen
> libnss-sss - Nss-Modul für den SSS-Daemon (System Security Services)
> libnss-cache - NSS module for using nsscache-generated files
> libnss-docker - nss module for finding Docker containers
> libnss-extrausers - nss module to have an additional passwd, shadow and group file
> libnss-gw-name - nss module that names the current gateway’s IP address
> libnss-mysql-bg - NSS module for using MySQL as a naming service
> libnss-pgsql2 - NSS module for using PostgreSQL as a naming service
> libnss-securepass - NSS (Name Service Switch) module for Securepass
> libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines
> libnss-mdns - NSS module for Multicast DNS name resolution
> libnss-wrapper - NSS wrapper library
> libnss-rainbow2 - nss library for rainbow
> libnss-winbind - Samba nameservice integration plugins
> libnss-myhostname - nss module providing fallback resolution for the current hostname
> libnss-mymachines - nss module to resolve hostnames for local container instances
> libnss-resolve - nss module to resolve names via systemd-resolved
> libnss-systemd - nss module providing dynamic user and group name resolution

The first one that I picked was libnss-ldap
It doesn't mangle libnss-ldap directly, but it ships an example file,
which contains
hosts:		dns ldap

So, libnss-resolve's behaviour of using [!UNAVAIL=return] would break
LDAP hosts resolution as well. I guess, going through the complete list,
we would find more packages which would be affected the same way.

It seems like [!UNAVAIL=return] is generally not safe to use if you
don't know which NSS modules might come after yours.

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20161208/043a3ff0/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list