4

Question

How is the following possible?

$ getent group | grep docker
$ getent group docker
docker:x:600:

Note that the first call doesn’t return anything while the second one does.

grpck doesn’t report any issues.

Some Background

This is on a CentOS 7.6 VM that I have inherited from someone else, so I’m not sure where its configuration could potentially differ from the CentOS defaults. As far as I can tell, the VM is connected to LDAP somehow (but I’m not too familiar with this …).

Actually I wonder where this docker group is defined. At least it’s neither in /etc/group nor in /etc/gshadow.

As requested in the comments:

$ grep ^group /etc/nsswitch.conf
group:      files sss hesiod
Chriki
  • 205
  • 2
  • 11
  • 7
    `grep ^group: /etc/nsswitch.conf` would help; it may be in an LDAP store where you're allowed to list all of the contents, but specific queries are answered. – Jeff Schaller Dec 12 '18 at 18:31
  • 1
    Are you on a local machine with no external auth of any kind, or is your CentOS connected to say, LDAP? What does your /etc/nsswitch.conf say? – number9 Dec 12 '18 at 18:31
  • 1
    @Jeff I suspect a “not” got lost in your comment ;-). – Stephen Kitt Dec 12 '18 at 18:44
  • Looks like you've got `sssd` (or `hesiod`, I suppose) set to look up LDAP/AD groups but not to enumerate them. If you're connected to Active Directory I would expect something like `getent group 'domain admins'` to deliver the list of AD Domain Administrator accounts. Take a look at `/etc/sssd/sssd.conf` for some details. – roaima Dec 12 '18 at 19:08
  • @StephenKitt it did, indeed! Good mind reading! – Jeff Schaller Dec 12 '18 at 19:24

1 Answers1

3

@jeff-schaller’s comment got me on the right track: the docker group is defined in the Hesiod database:

$ hesinfo docker group
docker:x:600:

As @jeff-schaller and @stephen-kitt further pointed out, it appears that Hesiod doesn’t seem to allow to list all groups (hence getent group doesn’t return them) but allows to query them one-by-one (hence getent group docker returns the group).

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Chriki
  • 205
  • 2
  • 11