systemd generates errors when using NSS and LDAP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd |
Fix Released
|
Unknown
|
|||
systemd (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 20.04.2 LTS
systemd 245.4-4ubuntu3.4
The system is configured to use LDAP via nsswitch.conf:
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files
Using libnss-ldap 265-5ubuntu1. When logging in with ssh there is a slight delay, and in the logs I see:
Feb 19 12:49:54 myserver sshd[105417]: Accepted publickey for mylogin from 1.2.3.4 port 60796 ssh2: RSA SHA256:somekey
Feb 19 12:49:54 myserver sshd[105417]: pam_unix(
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps:/
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server...
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps:/
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps:/
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
Feb 19 12:49:55 myserver systemd-
With debugging for the systemd-logind process I can see the additional information:
Feb 19 12:55:22 myserver systemd-
And with strace I see:
stat("/
geteuid() = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)
fcntl(-1, F_SETFD, FD_CLOEXEC) = -1 EBADF (Bad file descriptor)
sendto(33, "<83>Feb 19 12:56:59 systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server", 120, MSG_NOSIGNAL, NULL, 0) = 120
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: failed to bind to LDAP server ldaps:/
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: reconnecting to LDAP server...", 76, MSG_NOSIGNAL, NULL, 0) = 76
Looking in /usr/lib/
RestrictAddress
IPAddressDeny=any
So the problem is that systemd-logind can't open an AF_INET socket. And additionally, it can't make any network connections.
This only occurs in 20.04. In 20.10 this is fixed by a newer systemd, and it doesn't appear to be present in older systemd versions (at least, I don't have an issue on 18.04).
The fix, from systemd 246, which is included in 20.10, is:
https:/
I have applied this change (which patches cleanly to the systemd source package in 20.04) and the problem is resolved.
A temporary workaround for others experiencing this issue would be to run "systemctl edit systemd-logind" and enter the following:
[Service]
RestrictAddress
IPAddressAllow=any
Then restart the systemd-login service, or reboot. Obviously this could have other implications for the security of the system - I'm not sure if processes launched by systemd-logind also have more relaxed permissions.
It'd be great if the above patch could be applied to the package in 20.04.
Changed in systemd: | |
status: | Unknown → Fix Released |
> A temporary workaround for others experiencing this issue would be to run "systemctl edit Families= AF_INET
> systemd-logind" and enter the following:
>
> [Service]
> RestrictAddress
> IPAddressAllow=any
it sounds like your problem isn't the /etc/shadow issue, it's due to systemd-logind sandboxing, which wasn't present in bionic (systemd-logind was configured to allow inet/inet6 in bionic).
Have you tested a full groovy installation to make sure it's fixed for you there *without* the logind drop-in? And have you tested your patched systemd also *without* the logind drop-in to verify the patch fixes things for you?