F18 users unable to log in due to cached nsswitch.conf

Simo Sorce simo at redhat.com
Wed Oct 17 15:21:25 UTC 2012 

On Wed, 2012-10-17 at 17:17 +0200, Stef Walter wrote:
> In Fedora 17 and 18 we have a problem where remote users are unable to 
> log in until the machine has been rebooted. This used to work 
> previously. To fix this we probably need to:
> 
> Include 'sss' in /etc/nsswitch.conf by default and have the small 
> sssd-client package (with just thepam, nss plugins) installed on all but 
> minimal Fedora installs.
> 
> Is it too late to do this for Fedora 18? I'd jump in and provide the 
> patches necessary. Sadly it's been hard to test a coherent system up 
> until this point, so I thought this was a fluke of my test F18 systems 
> until just the other day.
> 
> Cheers,
> 
> Stef

I want to add, that having the 'sss' line in nsswitch.conf is completely
harmless both if the libnss_sss plugin is not available (minimal) and if
it is available but sssd is not.
The library has been built to be resilient and not block or cause issues
when the daemon is present. glibc also just ignores missing plugins.

So adding that line by default in nsswitch.conf should have no
unintended consequences or bad failure modes.

Simo.

> 
> 
> DETAILS:
> 
> This happens after configuration using authconfig to change 
> /etc/nsswitch.conf (or doing it manually). The changes are not picked up 
> by long running processes like dbus-daemon --system. As far as I can see 
> dbus-daemon then refuses to allow connections from these users. As might 
> be expected, gnome-shell crashes hard when this happens.
> 
> There are some other ways to fix this problem, but these do not scale to 
> fix the problem for every possible affected process:
> 
> http://sourceware.org/bugzilla/show_bug.cgi?id=12459
> 
> Below I have a rough test for duplicating the problem.
> 
> 
> TEST CASE:
> 
> * This should be ideally run on a freshly installed system or at
>    least a system without sss in /etc/nsswitch.conf since last boot.
> 
> $ grep sss /etc/nsswitch.conf && "ALREADY HAVE sss"
> $ sudo -s
> # yum install sssd-tools pamtester
> # test -f /etc/sssd/sssd.conf && mv /etc/sssd/sssd.conf 
> /etc/sssd/sssd.conf.bak
> # echo -e 
> "[sssd]\ndomains=local\nconfig_file_version=2\nservices=nss,pam\n[domain/local]\nid_provider=local" 
>  > /etc/sssd/sssd.conf
> # chmod 0600 /etc/sssd/sssd.conf
> # systemctl start sssd.service
> # authconfig --update --enablesssd --enablesssdauth
> # sss_useradd --uid=2121 --gecos=Zapp zapp
> # passwd zapp # set password for zapp
> # pamtester zapp authenticate   # type password, should succeed
> 
> * Now go to gdm by logging out or switch user.
> * Try to log in as zapp.
> * Hang.
> * Reboot
> * Try to log in as zapp.
> * Success
> 
> 
> TRACKER BUG: https://bugzilla.redhat.com/show_bug.cgi?id=867473
> 
> 
> Cheers,
> 
> Stef
> -- 
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list