systemd-logind: do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted

Bug #1774417 reported by Paul Menzel on 2018-05-31
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
nis (Debian)
Confirmed
Unknown
nis (Ubuntu)
Undecided
Unassigned
systemd (Ubuntu)
Undecided
Unassigned

Bug Description

See upstream bug report 7074 (systemd-logind's IP sandbox breaks nss-nis and suchlike) [1]. Logging in takes a long time.

    May 30 13:26:25 ubuntu1804 systemd-logind[2993]: do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted
    May 30 13:26:50 ubuntu1804 sshd[3446]: pam_systemd(sshd:session): Failed to create session: Connection timed out

Conclusion:

> Please ask your downstream distribution to either:
>
> 1. include a systemd-logind.service.d/ snippet in your nss-nis package that turns off the IP firewalling logic for logind
> 2. or patching systemd-logind.service for everybody to disable it distro-wide (which I'd really not recommend though, compromising the security for everybody just because for compat of a nowadays pretty niche nss module that does some very questionnable things doesn't sound like the best way out to me)

[1] https://github.com/systemd/systemd/issues/7074

Dimitri John Ledkov (xnox) wrote :

Well, on Ubuntu we do not have nss-nis package.

As libnss_nis is shipped in libc6, and thus available everywhere. Thus adding a depends or a drop-in is a non-starter as well it would be installed by default everywhere.

I'm not sure if we can somehow detect that it was enabled, and require nscd installation at that point.

I'd rather not unsandbox logind.

no longer affects: glibc (Ubuntu)
Changed in systemd (Ubuntu):
status: New → Won't Fix
Changed in nis (Ubuntu):
status: New → Confirmed
Changed in nis (Debian):
status: Unknown → Confirmed
Johannes Reimann (jreimann) wrote :

Hello everybody,

I just wanted to add that this bug does not only causes 25s long login times, but at least for Xubuntu also causes that:
- users authenticated via nis are unable to play sound, because pulseaudio (in non-system mode) doesn't list any sound cards besides the dummy device
- users authenticated via nis are unable to mount usb-harddrives via thunar because of missing permissions

Jonathan (jjcf89) wrote :
Daniel van Vugt (vanvugt) wrote :

If anyone thinks it is appropriate then you can mark this as a duplicate of bug 1745664. But there's not enough information here for me to tell right now.

Andreas Hasenack (ahasenack) wrote :

Does this workaround help here as well?

https://github.com/systemd/systemd/issues/9431#issuecomment-412195708

Essentially, replace IPAddressDeny=any with just "IPAddressDeny="

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.