Ubuntu
systemd package

systemd generates errors when using NSS and LDAP

Bug #1916235 reported by Tim Bishop
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd
Fix Released
Unknown
systemd (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Ubuntu 20.04.2 LTS
systemd 245.4-4ubuntu3.4

The system is configured to use LDAP via nsswitch.conf:

passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files

Using libnss-ldap 265-5ubuntu1. When logging in with ssh there is a slight delay, and in the logs I see:

Feb 19 12:49:54 myserver sshd[105417]: Accepted publickey for mylogin from 1.2.3.4 port 60796 ssh2: RSA SHA256:somekey
Feb 19 12:49:54 myserver sshd[105417]: pam_unix(sshd:session): session opened for user mylogin by (uid=0)
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server...
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not search LDAP server - Server is unavailable
Feb 19 12:49:55 myserver systemd-logind[105119]: New session 331 of user mylogin.

With debugging for the systemd-logind process I can see the additional information:

Feb 19 12:55:22 myserver systemd-logind[106567]: Failed to do shadow lookup for UID 12345, ignoring: Bad file descriptor

And with strace I see:

stat("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=9102, ...}) = 0
geteuid() = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)
fcntl(-1, F_SETFD, FD_CLOEXEC) = -1 EBADF (Bad file descriptor)
sendto(33, "<83>Feb 19 12:56:59 systemd-logind: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server", 120, MSG_NOSIGNAL, NULL, 0) = 120
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: failed to bind to LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server", 131, MSG_NOSIGNAL, NULL, 0) = 131
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: reconnecting to LDAP server...", 76, MSG_NOSIGNAL, NULL, 0) = 76

Looking in /usr/lib/systemd/system/systemd-logind.service we see:

RestrictAddressFamilies=AF_UNIX AF_NETLINK
IPAddressDeny=any

So the problem is that systemd-logind can't open an AF_INET socket. And additionally, it can't make any network connections.

This only occurs in 20.04. In 20.10 this is fixed by a newer systemd, and it doesn't appear to be present in older systemd versions (at least, I don't have an issue on 18.04).

The fix, from systemd 246, which is included in 20.10, is:

https://github.com/systemd/systemd/pull/15377

I have applied this change (which patches cleanly to the systemd source package in 20.04) and the problem is resolved.

A temporary workaround for others experiencing this issue would be to run "systemctl edit systemd-logind" and enter the following:

[Service]
RestrictAddressFamilies=AF_INET
IPAddressAllow=any

Then restart the systemd-login service, or reboot. Obviously this could have other implications for the security of the system - I'm not sure if processes launched by systemd-logind also have more relaxed permissions.

It'd be great if the above patch could be applied to the package in 20.04.

Bug Watch Updater (bug-watch-updater)
Changed in systemd:
status: Unknown → Fix Released
Revision history for this message
Dan Streetman (ddstreet) wrote :

> A temporary workaround for others experiencing this issue would be to run "systemctl edit
> systemd-logind" and enter the following:
>
> [Service]
> RestrictAddressFamilies=AF_INET
> IPAddressAllow=any

it sounds like your problem isn't the /etc/shadow issue, it's due to systemd-logind sandboxing, which wasn't present in bionic (systemd-logind was configured to allow inet/inet6 in bionic).

Have you tested a full groovy installation to make sure it's fixed for you there *without* the logind drop-in? And have you tested your patched systemd also *without* the logind drop-in to verify the patch fixes things for you?

Changed in systemd (Ubuntu):
status: New → Incomplete
Revision history for this message
Dan Streetman (ddstreet) wrote :

possibly same as bug 1915502

Revision history for this message
Dan Streetman (ddstreet) wrote :

I believe this is a dup of bug 1915502, so marking as such

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.