Hello,

I am using SSSD with NIS via the proxy id_provider and auth_provider (full conf below). I hoped that SSSD's cache would work around the sandboxing of systemd's logind that won't, by default, allow outgoing connections to the provider (see https://github.com/systemd/systemd/issues/7074).

User and credential lookup works fine and I can log in remotely via ssh. However, immediately after auth, at session setup-time, pam_systemd.so calls logind, which calls getpwuid(), which in turn causes a NIS lookup that hangs because of the sandbox. Failure of pam_systemd.so also means I can't login via the GUI.

I was hoping that SSSD's cache, which is up-to-date because of the immediately preceding auth, would be used instead of the NIS lookup. My alternative right now is to specifically disable that sandbox, as described in the link above, but I'd rather understand this completely and perhaps avoid that.

I'm on Ubuntu 18.04, with sssd 1.16.1.

sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = my.domain.name

[nss] filter_groups = root filter_users = root reconnection_retries = 3 cache_first = true

[pam] reconnection_retries = 3 pam_verbosity = 3 offline_failed_login_attempts = 3 offline_failed_login_delay = 1 # increased this in hopes of fixing the issue. Nope... pam_id_timeout = 35 cache_first = true

[domain/my.domain.name] id_provider = proxy auth_provider = proxy proxy_lib_name = nis proxy_pam_target = none cache_credentials = true # increased this in hopes of fixing the issue. Nope... cached_auth_timeout = 30 # Tried with and without enumeration. No difference. enumerate = true

The relevant PAM file -- /etc/pam.d/common-session. In my tests via ssh was included via /etc/pam.d/sshd: session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_sss.so # if I comment or skip the next line I get clean ssh logins, but still failing GUI logins. session optional pam_systemd.so

nsswitch.conf: passwd: compat systemd sss group: compat systemd sss shadow: compat sss gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname networks: files protocols: db files services: db files ethers: db files rpc: db files sudoers: files

getent output getent passwd testuser: testuser:$6$salted_hashed_password.:1100:100::/home/testuser:/bin/bash

getent -s sss passwd testuser: testuser:*:1100:100::/home/testuser:/bin/bash

getent -s sss shadow testuser: <no output>