commit 58b930ae216bfa98cd60212b954b07b9963d6d04
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Sep 10 21:51:50 2014 +0530

    Return failure in getnetgrent only when all netgroups have been searched (#17363)
    
    The netgroups lookup code fails when one of the groups in the search
    tree is empty.  In such a case it only returns the leaves of the tree
    after the blank netgroup.  This is because the line parser returns a
    NOTFOUND status when the netgroup exists but is empty.  The
    __getnetgrent_internal implementation needs to be fixed to try
    remaining groups if the current group is entry.  This patch implements
    this fix.  Tested on x86_64.
    
    	[BZ #17363]
    	* inet/getnetgrent_r.c (__internal_getnetgrent_r): Try next
    	group if the current group is empty.

diff --git glibc-2.17-c758a686/inet/getnetgrent_r.c glibc-2.17-c758a686/inet/getnetgrent_r.c
index f6d064d..e101537 100644
--- glibc-2.17-c758a686/inet/getnetgrent_r.c
+++ glibc-2.17-c758a686/inet/getnetgrent_r.c
@@ -297,7 +297,10 @@ __internal_getnetgrent_r (char **hostp, char **userp, char **domainp,
     {
       status = DL_CALL_FCT (*fct, (datap, buffer, buflen, &errno));
 
-      if (status == NSS_STATUS_RETURN)
+      if (status == NSS_STATUS_RETURN
+	  /* The service returned a NOTFOUND, but there are more groups that we
+	     need to resolve before we give up.  */
+	  || (status == NSS_STATUS_NOTFOUND && datap->needed_groups != NULL))
 	{
 	  /* This was the last one for this group.  Look at next group
 	     if available.  */