[Bug 1916235] Re: systemd generates errors when using NSS and LDAP

Dan Streetman 1916235 at bugs.launchpad.net
Thu Jun 10 12:44:18 UTC 2021 

*** This bug is a duplicate of bug 1915502 ***
    https://bugs.launchpad.net/bugs/1915502

I believe this is a dup of bug 1915502, so marking as such

** This bug has been marked a duplicate of bug 1915502
   "systemd --user" fails to start for non-local users

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1916235

Title:
  systemd generates errors when using NSS and LDAP

Status in systemd:
  Fix Released
Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  Ubuntu 20.04.2 LTS
  systemd 245.4-4ubuntu3.4

  The system is configured to use LDAP via nsswitch.conf:

  passwd:         files systemd ldap
  group:          files systemd ldap
  shadow:         files ldap
  gshadow:        files

  Using libnss-ldap 265-5ubuntu1. When logging in with ssh there is a
  slight delay, and in the logs I see:

  Feb 19 12:49:54 myserver sshd[105417]: Accepted publickey for mylogin from 1.2.3.4 port 60796 ssh2: RSA SHA256:somekey
  Feb 19 12:49:54 myserver sshd[105417]: pam_unix(sshd:session): session opened for user mylogin by (uid=0)
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server...
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
  Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
  Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
  Feb 19 12:49:55 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
  Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
  Feb 19 12:49:55 myserver systemd-logind[105119]: New session 331 of user mylogin.

  With debugging for the systemd-logind process I can see the additional
  information:

  Feb 19 12:55:22 myserver systemd-logind[106567]: Failed to do shadow
  lookup for UID 12345, ignoring: Bad file descriptor

  And with strace I see:

  stat("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=9102, ...}) = 0
  geteuid()                               = 0
  socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)
  fcntl(-1, F_SETFD, FD_CLOEXEC)          = -1 EBADF (Bad file descriptor)
  sendto(33, "<83>Feb 19 12:56:59 systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server", 120, MSG_NOSIGNAL, NULL, 0) = 120
  sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server", 131, MSG_NOSIGNAL, NULL, 0) = 131
  sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: reconnecting to LDAP server...", 76, MSG_NOSIGNAL, NULL, 0) = 76

  Looking in /usr/lib/systemd/system/systemd-logind.service we see:

  RestrictAddressFamilies=AF_UNIX AF_NETLINK
  IPAddressDeny=any

  So the problem is that systemd-logind can't open an AF_INET socket.
  And additionally, it can't make any network connections.

  This only occurs in 20.04. In 20.10 this is fixed by a newer systemd,
  and it doesn't appear to be present in older systemd versions (at
  least, I don't have an issue on 18.04).

  The fix, from systemd 246, which is included in 20.10, is:

  https://github.com/systemd/systemd/pull/15377

  I have applied this change (which patches cleanly to the systemd
  source package in 20.04) and the problem is resolved.

  A temporary workaround for others experiencing this issue would be to
  run "systemctl edit systemd-logind" and enter the following:

  [Service]
  RestrictAddressFamilies=AF_INET
  IPAddressAllow=any

  Then restart the systemd-login service, or reboot. Obviously this
  could have other implications for the security of the system - I'm not
  sure if processes launched by systemd-logind also have more relaxed
  permissions.

  It'd be great if the above patch could be applied to the package in
  20.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1916235/+subscriptions

More information about the foundations-bugs mailing list