Ubuntu
systemd package

systemd-logind: do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted

Bug #1774417 reported by Paul Menzel
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
nis (Debian)
Fix Released
Unknown
nis (Ubuntu)
Confirmed
Undecided
Unassigned
systemd (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

See upstream bug report 7074 (systemd-logind's IP sandbox breaks nss-nis and suchlike) [1]. Logging in takes a long time.

    May 30 13:26:25 ubuntu1804 systemd-logind[2993]: do_ypcall: clnt_call: RPC: Unable to send; errno = Operation not permitted
    May 30 13:26:50 ubuntu1804 sshd[3446]: pam_systemd(sshd:session): Failed to create session: Connection timed out

Conclusion:

> Please ask your downstream distribution to either:
>
> 1. include a systemd-logind.service.d/ snippet in your nss-nis package that turns off the IP firewalling logic for logind
> 2. or patching systemd-logind.service for everybody to disable it distro-wide (which I'd really not recommend though, compromising the security for everybody just because for compat of a nowadays pretty niche nss module that does some very questionnable things doesn't sound like the best way out to me)

[1] https://github.com/systemd/systemd/issues/7074

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Well, on Ubuntu we do not have nss-nis package.

As libnss_nis is shipped in libc6, and thus available everywhere. Thus adding a depends or a drop-in is a non-starter as well it would be installed by default everywhere.

I'm not sure if we can somehow detect that it was enabled, and require nscd installation at that point.

I'd rather not unsandbox logind.

no longer affects: glibc (Ubuntu)
Changed in systemd (Ubuntu):
status: New → Won't Fix
Changed in nis (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in nis (Debian):
status: Unknown → Confirmed
Revision history for this message
Johannes Reimann (jreimann) wrote :

Hello everybody,

I just wanted to add that this bug does not only causes 25s long login times, but at least for Xubuntu also causes that:
- users authenticated via nis are unable to play sound, because pulseaudio (in non-system mode) doesn't list any sound cards besides the dummy device
- users authenticated via nis are unable to mount usb-harddrives via thunar because of missing permissions

Revision history for this message
Jonathan (jjcf89) wrote :

This appears to be a duplicate of https://bugs.launchpad.net/ubuntu/+source/nis/+bug/1745664

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

If anyone thinks it is appropriate then you can mark this as a duplicate of bug 1745664. But there's not enough information here for me to tell right now.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Does this workaround help here as well?

https://github.com/systemd/systemd/issues/9431#issuecomment-412195708

Essentially, replace IPAddressDeny=any with just "IPAddressDeny="

Bug Watch Updater (bug-watch-updater)
Changed in nis (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.