https://bugzilla.mindrot.org/show_bug.cgi?id=3528
Bug ID: 3528 Summary: ls hangs when using ldap groups Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: sftp-server Assignee: unassigned-b...@mindrot.org Reporter: kasper_steenga...@hotmail.com On Ubuntu 20.04.4 LTS Configured the sftp server with chrootDirectory like so: /etc/ssh/sshd_config ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp internal-sftp -l DEBUG GSSAPIAuthentication yes Match Group MyGroup ChrootDirectory /mychroot ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no My /etc/nsswitch contains group: files systemd sss ldap Users accessing the sftp is authenticated agains an AD, but the access groups comes from another LDAP server. When I login to the sftp server and execute a ls command it takes way too long. I did a strace on the sftp process, in which I can see it tries to access the following files. openat(AT_FDCWD, "/run/systemd/userdb/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) stat("/etc/ldap.conf", 0x7ffea7282230) = -1 ENOENT (No such file or directory) stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) I figured out that if an empty ldap.conf is placed in /mychroot/etc/ the ls command responds fast, and the access control (based on the LDAP groups) is still working (I made sure to do a sss_cache -E to clear cache between tests) The ldap server is defined in /etc/ldap.conf with a fqdn that is resolved by the DNS server. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs