Linux – Inconsistency between “getent group” and “getent group ” – why

getentgrouplinux

Question

How is the following possible?

$ getent group | grep docker
$ getent group docker
docker:x:600:

Note that the first call doesn’t return anything while the second one does.

grpck doesn’t report any issues.

Some Background

This is on a CentOS 7.6 VM that I have inherited from someone else, so I’m not sure where its configuration could potentially differ from the CentOS defaults. As far as I can tell, the VM is connected to LDAP somehow (but I’m not too familiar with this …).

Actually I wonder where this docker group is defined. At least it’s neither in /etc/group nor in /etc/gshadow.

As requested in the comments:

$ grep ^group /etc/nsswitch.conf
group:      files sss hesiod

Best Answer

@jeff-schaller’s comment got me on the right track: the docker group is defined in the Hesiod database:

$ hesinfo docker group
docker:x:600:

As @jeff-schaller and @stephen-kitt further pointed out, it appears that Hesiod doesn’t seem to allow to list all groups (hence getent group doesn’t return them) but allows to query them one-by-one (hence getent group docker returns the group).

Related Solutions

Why don’t /etc/group and /etc/password match

/etc/passwd shows each user's primary group. /etc/group shows users who have a given group as one of their supplementary groups. For example, my username dan has the group dan as its primary group, so that is what appears in the group field in /etc/passwd. The user dan is also in the groups wheel, mailadmin and svn, so the entries for those groups in /etc/group list dan in the final field, which denotes group members.

Linux – Why there is a group member field in both /etc/group and /etc/gshadow

The 4th field is a list of users that are members of the identified group. You can get a description of these two files with

man 5 group  
man 5 gshadow

I suspect the values in the two fields are the same for convenience. I don't offhand know what happens if the two lists are different.