Your message dated Mon, 27 Oct 2025 13:20:07 +0000
with message-id <[email protected]>
and subject line Bug#1118640: fixed in systemd 258.1-2
has caused the Debian Bug report #1118640,
regarding libnss-systemd: Not configured for shadow/gshadow when upgraded from
Debian 11 or older
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118640
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss-systemd
Version: 251.3-2
Severity: important
This was previously discussed on gdm3 bug #1116563, but I'm reporting it
here to have a clear statement of the issue in libnss-systemd.
If libnss-systemd is installed on Debian 12 or newer, it handles four
nsswitch databases: passwd, group, shadow and gshadow. The bug is that
if libnss-systemd was originally installed on a Debian 11 or older
system, and subsequently upgraded to Debian 12 or newer, it will only
handle passwd and group. This breaks packages like gdm3 which want to be
able to look up their dynamically-created users in the shadow and gshadow
databases (#1116563).
Steps to reproduce
==================
Unfortunately this involves "going back in time" since it's a divergence
between upgraded systems and fresh installations.
I acknowledge that we don't directly support Debian 11 any more, but
many Debian systems will have been installed with Debian 11 or older and
subsequently upgraded in the supported way (11 -> 12 -> 13 -> ...) and
this issue will affect those systems.
$ autopkgtest-build-qemu bullseye ~/tmp/d11.qcow2
(or use some other small VM image or non-overlayfs-based container)
(run the VM and log in, it has a passwordless root shell on tty1)
# apt update
# apt install libnss-systemd
# sed -i -e 's/bullseye/bookworm/g' -e 's/archive.debian.org/deb.debian.org/g'
/etc/apt/sources.list
# apt update
# apt dist-upgrade
# reboot
(log back in)
# sed -i -e 's/bookworm/trixie/g' -e 's/archive.debian.org/deb.debian.org/g'
/etc/apt/sources.list
# apt update
# apt dist-upgrade
# reboot
(log back in)
(optionally upgrade again, from trixie to forky or sid)
# cat /etc/nsswitch.conf
# apt install atftpd # a convenient DynamicUser
# systemctl start atftpd
# grep atftpd /etc/passwd /etc/group /etc/shadow /etc/gshadow || echo not found
not found
# getent passwd atftpd
atftpd:(etc.)
# getent group atftpd
atftpd:(etc.)
# getent shadow atftpd
(should have a record, does not, this is the bug)
# getent gshadow atftpd
(should have a record, does not, this is the bug)
and to compare with a fresh system:
$ autopkgtest-build-qemu trixie ~/tmp/d13.qcow2
(or use some other small VM image or container)
(run the VM and log in, it has a passwordless root shell on tty1)
# apt update
# apt install libnss-systemd
# cat /etc/nsswitch.conf
# apt install atftpd # a convenient DynamicUser
# systemctl start atftpd
# grep atftpd /etc/passwd /etc/group /etc/shadow /etc/gshadow || echo not found
not found
# getent passwd atftpd
atftpd:(etc.)
# getent group atftpd
atftpd:(etc.)
# getent shadow atftpd
atftpd:(etc.)
# getent gshadow atftpd
atftpd:(etc.)
Expected result
===============
On both the fresh install and the upgraded system, "systemd" should
appear in the list of modules used to resolve all four of the
user-related databases: passwd, group, shadow and gshadow.
The atftpd dynamic user should appear when querying all four databases,
despite not being in any of the flat files.
Actual result
=============
On the fresh install, the four user-related databases are as expected:
passwd: files systemd
group: files systemd
shadow: files systemd
gshadow: files systemd
but on the upgraded system, libnss-systemd is missing from the shadow
and gshadow databases:
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
As a result, "getent passwd atftpd" and "getent group atftpd" work as
expected, but "getent shadow atftpd" and "getent gshadow atftpd" fail.
Suggested solution
==================
https://bugs.debian.org/1113745 argues that this is a dh-nss bug, but
that bug has been marked wontfix, so unfortunately it will have to be up
to each NSS module to work around that limitation by doing its own
upgrade logic.
On upgrading to some threshold version - let's say $V - the maintainer
scripts for libnss-systemd should have logic like this pseudocode, to do
a one-time upgrade action:
if this is an upgrade, current version << $V:
if nsswitch.conf doesn't have /^shadow:.*\<systemd\>/:
add systemd to the shadow: line in an appropriate position
if nsswitch.conf doesn't have /^gshadow:.*\<systemd\>/:
add systemd to the shadow: line in an appropriate position
or perhaps what Ubuntu 25.10 has done:
if this is an upgrade, current version << $V:
completely remove systemd from nsswitch.conf
#DEBHELPER# # let dh-nss put it back, with the new config
Because we don't support skipping stable releases, this can be removed
after version $V or later has appeared in a stable release (ideally also
an Ubuntu LTS release).
In an ideal world, $V would have been the same version that added
systemd to the shadow and gshadow databases (251.3-2), but in the
absence of a time machine, we can no longer implement that.
The next best thing is for $V to be the first version uploaded to
unstable with that logic.
More generally, every time there is a future change to how an nss module
is registered in nsswitch.conf (not just libnss-systemd, but also
libnss-myhostname, etc.), if the change is functionally significant, it
should come with a one-time upgrade action in the maintainer scripts
that makes upgraded systems match the new configuration.
Impact
======
This is the root cause of #1116563 in gdm3, which is the last remaining
blocker for the GNOME 49 transition (#1116394). If there isn't a
straightforward solution in libnss-systemd, I'll investigate whether we
can work around it in gdm3.
It could also affect any other system service that creates dynamic users
and relies on being able to look up their shadow record (password hash,
password expiry, etc.), or creates dynamic groups and relies on being
able to look up their gshadow record.
Ordinary static system users and groups (sysusers.d or adduser) are
unaffected.
Out of scope
============
In https://salsa.debian.org/systemd-team/systemd/-/merge_requests/293,
Marco proposes that instead of systemd being ordered last, it should be
ordered immediately after 'files', possibly with
'files [SUCCESS=merge] systemd', to better match upstream's
recommendations. For example, this might make libnss-systemd
higher-precedence than LDAP or similar services, where it would
currently be lower-precedence.
Strictly speaking this is orthogonal to solving the bug described here.
However, if this bug is solved in systemd version $X, and then Marco's
suggestion is subsequently implemented in systemd version $Y (> $X),
then the reasoning above implies that the maintainer script will now
need to handle more scenarios:
- new installation, no configuration (dh-nss handles this)
- upgrading, current version << $X
- upgrading, $X <= current version << $Y
- upgrading, current version >= $Y (no action needed)
and leave nsswitch configured appropriately in each of those scenarios.
So if we are sure that what Marco proposes is the right thing to do, it
might be simpler to batch together the change Marco requested and the
fix for this bug into the same systemd upload.
smcv
--- End Message ---
--- Begin Message ---
Source: systemd
Source-Version: 258.1-2
Done: Luca Boccassi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Boccassi <[email protected]> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Oct 2025 13:06:14 +0000
Source: systemd
Architecture: source
Version: 258.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers
<[email protected]>
Changed-By: Luca Boccassi <[email protected]>
Closes: 1118360 1118640
Changes:
systemd (258.1-2) unstable; urgency=medium
.
[ Luca Boccassi ]
* Backport patch to fix autopkgtest with new util-linux due to file move
(Closes: #1118360)
* getty-static: add missing Documentation=
* systemd-tests: drop unused overrides
.
[ Simon McVittie ]
* d/libnss-systemd.postinst: Ensure module is enabled for all four
databases. Before version 251.3-2, libnss-systemd was only enabled for
the passwd and group databases. Since that version, new installations
are set up in all four user/group databases (passwd, group, shadow and
gshadow) but older installations' configuration remained unchanged
until now. This resulted in configuration drift: shadow and gshadow
would list systemd dynamic users in new installations of Debian 12 or
13, but not in installations that had been upgraded from Debian 11 or
older, preventing new versions of gdm3 from working on those older
systems. Address this by doing a one-time migration from the old to
new configuration. (Closes: #1118640)
Checksums-Sha1:
c75df94a97e0b5186d8a6af051d515f1a15bd569 8600 systemd_258.1-2.dsc
d7f6622d8df1165577afd753bd085047a245b9da 184188 systemd_258.1-2.debian.tar.xz
8153a503881db0086f733aca30b4e69e25ded8e6 14339 systemd_258.1-2_source.buildinfo
Checksums-Sha256:
851f5673e022cbfd03cec26d8b0d2a49d2d05df71dfe33fbca20e6c34f203b5a 8600
systemd_258.1-2.dsc
f5fa17cd755227368451ffd6cc80e6c4edf06544b78d1fbdc0712d98dc2f167a 184188
systemd_258.1-2.debian.tar.xz
16f22833c238786b14348e09edfdab3306b1fde79a3a901d44af4869b1d27041 14339
systemd_258.1-2_source.buildinfo
Files:
3880a61aaf468d441465adb3db476b7e 8600 admin optional systemd_258.1-2.dsc
701f8b036547c5c6b636305d5c3b787c 184188 admin optional
systemd_258.1-2.debian.tar.xz
6909c6258af7014fa63cbad63846faeb 14339 admin optional
systemd_258.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEErCSqx93EIPGOymuRKGv37813JB4FAmj/bs8RHGJsdWNhQGRl
Ymlhbi5vcmcACgkQKGv37813JB6yKhAAprPFnnlsGNafIPL0myBThdZCGzjzejbW
alPmIIgucXRmY5ZNWsu99B96WMv0wm3yLS+gf0jyxsHj/suo8BTp+1YU9XP5fVn7
uoBjxXgTa569KKTFWs7gaaCwGX8foiaUx3Jv66GJHl2OXsumtW6P9N0OOuuTeBQE
m11vfg0YEcFuOI8/KpMK6xtF5oGhcTN7jowaq4ooEhJhB7SOc5U0lHugRkORnWWm
Cyc5kZkQBKa3i+9Zbi/j10QOSEgC7i4DdTg9SgRae198cHq6IAc839gtPwE0ZZw8
L3bnprKJDJmKCUxxuVGNqYjrwBKBv3YI/Bt8jUOVQPRawBt1utVD95+1jIPbRqlG
hNhhGIqlPni3cdq7YtkAjXQW449BvA9CmPvx4IDmzZDmsaHDmfntB/3XZsCiBrKf
khu7R6VXa33UwdlsX3QwuA3i4p5+vPaZy/FlSmeylOcX/JgSulrmJwiXMeJrrYWf
hdIGA32IJ8w5M95EokpfQmUepiSdqzOUGohDFDUJgjcBcyrowiKz1qIl/pad0Qrf
WBGUO5X2wh9gzX4pBCbZI7s5dmt6PjA7/RMvJepmlfDceigzPuSuaX2/hFbXl5MF
+t+pBoLR5ImRXonplWx+VlJ5j0Iv0ycRo1BkAZHgYp+6s3Xsf/C8O0OF9l+CZEny
IUgKxFGjTqQ=
=h3OR
-----END PGP SIGNATURE-----
pgpoVLqXyYYVK.pgp
Description: PGP signature
--- End Message ---
