[RADIUS] /etc/nsswitch.conf gets wiped out when setting AAA to RADIUS

[brholmes1]

Description

When switching to RADIUS for authentication, the configuration at /etc/nsswitch.conf gets removed. This results in remote authentication failing and having to use locally configured accounts instead.

Steps to reproduce the issue:

1. Verify original file size and contents

ls -l /etc/nsswitch.conf*
-rw-r--r-- 1 root root 494 Aug 11 22:15 /etc/nsswitch.conf
-rw-r--r-- 1 root root 494 Aug 11 22:15 /etc/nsswitch.conf.old

grep -i passwd /etc/nsswitch.conf
passwd:         files

2. Configure AAA to use RADIUS

sudo config aaa authentication login radius local

3. Verify new file size and contents

ls -l /etc/nsswitch.conf*
-rw-r--r-- 1 root root 0 Aug 11 22:16 /etc/nsswitch.conf
-rw-r--r-- 1 root root 0 Aug 11 22:16 /etc/nsswitch.conf.old

grep -i passwd /etc/nsswitch.conf

4. Test authentication using RADIUS server

Describe the results you received:

Could not login as remote user, and had to authenticate using local admin username/password.

Describe the results you expected:

Successful authentication using a remote user via RADIUS, and /etc/nsswitch.conf updating appropriately.

ls -l /etc/nsswitch.conf*
-rw-r--r-- 1 root root 502 Aug 11 20:49 /etc/nsswitch.conf
-rw-r--r-- 1 root root 502 Aug  4 23:14 /etc/nsswitch.conf.bak

grep -i passwd /etc/nsswitch.conf
passwd:         files radius

Output of show version:

show version 

SONiC Software Version: SONiC.master.288529-40eb97c2f
SONiC OS Version: 11
Distribution: Debian 11.7
Kernel: 5.10.0-18-2-amd64
Build commit: 40eb97c2f
Build date: Tue Jun  6 14:37:38 UTC 2023
Built by: AzDevOps@vmss-soni0018SE

Platform: x86_64-accton_as7326_56x-r0
HwSKU: Accton-AS7326-56X
ASIC: broadcom
ASIC Count: 1
Serial Number: <REMOVED>
Model Number: FP4ZZ7656005A
Hardware Revision: N/A
Uptime: 21:54:45 up  1:07,  1 user,  load average: 1.87, 2.02, 2.12
Date: Fri 11 Aug 2023 21:54:45

Docker images:
REPOSITORY                    TAG                       IMAGE ID       SIZE
docker-gbsyncd-broncos        latest                    f34e05377f70   348MB
docker-gbsyncd-broncos        master.288529-40eb97c2f   f34e05377f70   348MB
docker-gbsyncd-credo          latest                    a540095436b7   321MB
docker-gbsyncd-credo          master.288529-40eb97c2f   a540095436b7   321MB
docker-syncd-brcm             latest                    4e23b9ea009f   672MB
docker-syncd-brcm             master.288529-40eb97c2f   4e23b9ea009f   672MB
docker-orchagent              latest                    eb8f5f6d63c4   328MB
docker-orchagent              master.288529-40eb97c2f   eb8f5f6d63c4   328MB
docker-fpm-frr                latest                    a88f227ff262   346MB
docker-fpm-frr                master.288529-40eb97c2f   a88f227ff262   346MB
docker-nat                    latest                    ab8c4a9882ef   319MB
docker-nat                    master.288529-40eb97c2f   ab8c4a9882ef   319MB
docker-sflow                  latest                    033d052dbbf4   317MB
docker-sflow                  master.288529-40eb97c2f   033d052dbbf4   317MB
docker-teamd                  latest                    f31c6d87d474   316MB
docker-teamd                  master.288529-40eb97c2f   f31c6d87d474   316MB
docker-macsec                 latest                    7de5d1e600d5   318MB
docker-dhcp-relay             latest                    c34f78699d67   306MB
docker-eventd                 latest                    91d4c29afc6d   298MB
docker-eventd                 master.288529-40eb97c2f   91d4c29afc6d   298MB
docker-sonic-p4rt             latest                    95393dbefd33   870MB
docker-sonic-p4rt             master.288529-40eb97c2f   95393dbefd33   870MB
docker-snmp                   latest                    59098e3c3014   338MB
docker-snmp                   master.288529-40eb97c2f   59098e3c3014   338MB
docker-sonic-telemetry        latest                    1bf7203b75c6   597MB
docker-sonic-telemetry        master.288529-40eb97c2f   1bf7203b75c6   597MB
docker-router-advertiser      latest                    fff8e05a8c89   299MB
docker-router-advertiser      master.288529-40eb97c2f   fff8e05a8c89   299MB
docker-platform-monitor       latest                    178db0ee2c96   420MB
docker-platform-monitor       master.288529-40eb97c2f   178db0ee2c96   420MB
docker-lldp                   latest                    8e12d827ec5a   341MB
docker-lldp                   master.288529-40eb97c2f   8e12d827ec5a   341MB
docker-mux                    latest                    e2bd7d1aa56f   347MB
docker-mux                    master.288529-40eb97c2f   e2bd7d1aa56f   347MB
docker-database               latest                    7cfb40aa6712   299MB
docker-database               master.288529-40eb97c2f   7cfb40aa6712   299MB
docker-sonic-mgmt-framework   latest                    2715b226fa6b   414MB
docker-sonic-mgmt-framework   master.288529-40eb97c2f   2715b226fa6b   414MB

Output of show techsupport:

(paste your output here or download and attach the file here )

Additional information you deem important (e.g. issue happens only occasionally):

The issue is related to an extraneous pair of apostrophes (') within the hostcfgd file. After removing the apostrophes and reloading the device the authentication configuration updated correctly without any issues. Reference link to the problematic line below:

https://github.com/sonic-net/sonic-host-services/blob/master/scripts/hostcfgd#L576

Working configuration:

self.modify_single_file(NSS_CONF, [ "/^passwd/s/ tacplus//" ])

[adyeung]

Problem was introduced by

sonic-net/sonic-host-services#34

when disabling subprocess with shell, the apostrophes for path passwd/s/tacplus missed to be removed in hostcfgd L898