Add initgroups support

[geofft]

Apart from its own inherent value in rounding out user/group support,
glibc uses the same variable to cache whether the current NSCD
implementation handles group (GETGRBYNAME/GETGRBYGID) and INITGROUPS
requests, so we need to have a working implementation of it.

[blinsay]

the comment above says to always return success, but this line implies it bails early if something goes wrong. looks like nix adds a too-many-groups error condition, even though libc is never going to return an error.

https://docs.rs/nix/0.20.0/nix/unistd/fn.getgrouplist.html

[blinsay]

might be less confusing to pull this if/else into serialize_initgroups and change than fn so it takes the username and primary gid

[geofft]

1. I changed this specific line to log that error condition and return an empty list, and I expanded the comment to explain why we return an empty list.
2. There are still error conditions in serialize_initgroups that we don't handle. It's potentially important that we don't drop the connection there. However, that's a problem for all of the serialize_ functions, i.e, I think we should consider teaching main() not to drop the connection but instead to provide some perfunctory reply and log what's going on, because all of those cases can cause glibc to decide that there isn't a working NSCD. I think that's for another PR, and we shouldn't special-case serialize_initgroups here. (I also think that several of these cases can be statically proven not to be problems, if we try harder, since they're integer conversions.)

[blinsay]

However, that's a problem for all of the serialize_ functions, i.e, I think we should consider teaching main() not to drop the connection but instead to provide some perfunctory reply and log what's going on, because all of those cases can cause glibc to decide that there isn't a working NSCD. I think that's for another PR, and we shouldn't special-case serialize_initgroups here.

+1

[blinsay]

this all lgtm