On Tue, Jun 04, 2019 at 12:21:43PM -0000, [email protected] wrote:
> (reopening here after mis-posting to the devel list)
> Hello,
>
> I am using SSSD with NIS via the proxy id_provider and auth_provider (full
> conf below). I hoped that SSSD's cache would work around the sandboxing of
> systemd's logind that won't, by default, allow outgoing connections to the
> provider (see https://github.com/systemd/systemd/issues/7074).
>
> User and credential lookup works fine and I can log in remotely via ssh.
> However, immediately after auth, at session setup-time, pam_systemd.so calls
> logind, which calls getpwuid(), which in turn causes a NIS lookup that hangs
> because of the sandbox. Failure of pam_systemd.so also means I can't login
> via the GUI.
>
> I was hoping that SSSD's cache, which is up-to-date because of the
> immediately preceding auth, would be used instead of the NIS lookup. My
> alternative right now is to specifically disable that sandbox, as described
> in the link above, but I'd rather understand this completely and perhaps
> avoid that.
>
> I'm on Ubuntu 18.04, with sssd 1.16.1.
>
> sssd.conf:
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = my.domain.name
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
> cache_first = true
>
> [pam]
> reconnection_retries = 3
> pam_verbosity = 3
> offline_failed_login_attempts = 3
> offline_failed_login_delay = 1
> # increased this in hopes of fixing the issue. Nope...
> pam_id_timeout = 35
> cache_first = true
>
> [domain/my.domain.name]
> id_provider = proxy
> auth_provider = proxy
> proxy_lib_name = nis
> proxy_pam_target = none
> cache_credentials = true
> # increased this in hopes of fixing the issue. Nope...
> cached_auth_timeout = 30
> # Tried with and without enumeration. No difference.
> enumerate = true
>
> The relevant PAM file -- /etc/pam.d/common-session. In my tests via ssh was
> included via /etc/pam.d/sshd:
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session optional pam_umask.so
> session required pam_unix.so
> session optional pam_sss.so
> # if I comment or skip the next line I get clean ssh logins, but still
> failing GUI logins.
> session optional pam_systemd.so
>
> nsswitch.conf:
> passwd: compat systemd sss
> group: compat systemd sss
> shadow: compat sss
Since nis is handled by SSSD I think you can replace 'compat' with
'files' here. To be on the safe side I would also put 'sss' before
'systemd' so that it reads:
passwd: files sss systemd
group: files sss systemd
shadow: files
If you have any 'compat' specific entries like +/-(user|group) in
/etc/passwd or /etc/group this of course won't work anymore. In this
case you can try to put 'sss' first.
HTH
bye,
Sumit
> gshadow: files
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> sudoers: files
>
> getent output
> getent passwd testuser:
> testuser:$6$salted_hashed_password.:1100:100::/home/testuser:/bin/bash
>
> getent -s sss passwd testuser:
> testuser:*:1100:100::/home/testuser:/bin/bash
>
> getent -s sss shadow testuser:
> <no output>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
