Public bug reported:
Ubuntu 20.04.2 LTS
systemd 245.4-4ubuntu3.4
The system is configured to use LDAP via nsswitch.conf:
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files
Using libnss-ldap 265-5ubuntu1. When logging in with ssh there is a
slight delay, and in the logs I see:
Feb 19 12:49:54 myserver sshd[105417]: Accepted publickey for mylogin from
1.2.3.4 port 60796 ssh2: RSA SHA256:somekey
Feb 19 12:49:54 myserver sshd[105417]: pam_unix(sshd:session): session opened
for user mylogin by (uid=0)
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP
server...
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not search LDAP server
- Server is unavailable
Feb 19 12:49:55 myserver systemd-logind[105119]: New session 331 of user
mylogin.
With debugging for the systemd-logind process I can see the additional
information:
Feb 19 12:55:22 myserver systemd-logind[106567]: Failed to do shadow
lookup for UID 12345, ignoring: Bad file descriptor
And with strace I see:
stat("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=9102, ...}) = 0
geteuid() = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not
supported by protocol)
fcntl(-1, F_SETFD, FD_CLOEXEC) = -1 EBADF (Bad file descriptor)
sendto(33, "<83>Feb 19 12:56:59 systemd-logind: nss_ldap: could not connect to
any LDAP server as (null) - Can't contact LDAP server", 120, MSG_NOSIGNAL,
NULL, 0) = 120
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: failed to bind to
LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server", 131,
MSG_NOSIGNAL, NULL, 0) = 131
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: reconnecting to LDAP
server...", 76, MSG_NOSIGNAL, NULL, 0) = 76
Looking in /usr/lib/systemd/system/systemd-logind.service we see:
RestrictAddressFamilies=AF_UNIX AF_NETLINK
IPAddressDeny=any
So the problem is that systemd-logind can't open an AF_INET socket. And
additionally, it can't make any network connections.
This only occurs in 20.04. In 20.10 this is fixed by a newer systemd,
and it doesn't appear to be present in older systemd versions (at least,
I don't have an issue on 18.04).
The fix, from systemd 246, which is included in 20.10, is:
https://github.com/systemd/systemd/pull/15377
I have applied this change (which patches cleanly to the systemd source
package in 20.04) and the problem is resolved.
A temporary workaround for others experiencing this issue would be to
run "systemctl edit systemd-logind" and enter the following:
[Service]
RestrictAddressFamilies=AF_INET
IPAddressAllow=any
Then restart the systemd-login service, or reboot. Obviously this could
have other implications for the security of the system - I'm not sure if
processes launched by systemd-logind also have more relaxed permissions.
It'd be great if the above patch could be applied to the package in
20.04.
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1916235
Title:
systemd generates errors when using NSS and LDAP
Status in systemd package in Ubuntu:
New
Bug description:
Ubuntu 20.04.2 LTS
systemd 245.4-4ubuntu3.4
The system is configured to use LDAP via nsswitch.conf:
passwd: files systemd ldap
group: files systemd ldap
shadow: files ldap
gshadow: files
Using libnss-ldap 265-5ubuntu1. When logging in with ssh there is a
slight delay, and in the logs I see:
Feb 19 12:49:54 myserver sshd[105417]: Accepted publickey for mylogin from
1.2.3.4 port 60796 ssh2: RSA SHA256:somekey
Feb 19 12:49:54 myserver sshd[105417]: pam_unix(sshd:session): session opened
for user mylogin by (uid=0)
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP
server...
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:54 myserver systemd-logind: nss_ldap: reconnecting to LDAP
server (sleeping 1 seconds)...
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not connect to any
LDAP server as (null) - Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: failed to bind to LDAP
server ldaps://myldapserver.mydomain/: Can't contact LDAP server
Feb 19 12:49:55 myserver systemd-logind: nss_ldap: could not search LDAP
server - Server is unavailable
Feb 19 12:49:55 myserver systemd-logind[105119]: New session 331 of user
mylogin.
With debugging for the systemd-logind process I can see the additional
information:
Feb 19 12:55:22 myserver systemd-logind[106567]: Failed to do shadow
lookup for UID 12345, ignoring: Bad file descriptor
And with strace I see:
stat("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=9102, ...}) = 0
geteuid() = 0
socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family
not supported by protocol)
fcntl(-1, F_SETFD, FD_CLOEXEC) = -1 EBADF (Bad file descriptor)
sendto(33, "<83>Feb 19 12:56:59 systemd-logind: nss_ldap: could not connect
to any LDAP server as (null) - Can't contact LDAP server", 120, MSG_NOSIGNAL,
NULL, 0) = 120
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: failed to bind to
LDAP server ldaps://myldapserver.mydomain/: Can't contact LDAP server", 131,
MSG_NOSIGNAL, NULL, 0) = 131
sendto(33, "<86>Feb 19 12:56:59 systemd-logind: nss_ldap: reconnecting to
LDAP server...", 76, MSG_NOSIGNAL, NULL, 0) = 76
Looking in /usr/lib/systemd/system/systemd-logind.service we see:
RestrictAddressFamilies=AF_UNIX AF_NETLINK
IPAddressDeny=any
So the problem is that systemd-logind can't open an AF_INET socket.
And additionally, it can't make any network connections.
This only occurs in 20.04. In 20.10 this is fixed by a newer systemd,
and it doesn't appear to be present in older systemd versions (at
least, I don't have an issue on 18.04).
The fix, from systemd 246, which is included in 20.10, is:
https://github.com/systemd/systemd/pull/15377
I have applied this change (which patches cleanly to the systemd
source package in 20.04) and the problem is resolved.
A temporary workaround for others experiencing this issue would be to
run "systemctl edit systemd-logind" and enter the following:
[Service]
RestrictAddressFamilies=AF_INET
IPAddressAllow=any
Then restart the systemd-login service, or reboot. Obviously this
could have other implications for the security of the system - I'm not
sure if processes launched by systemd-logind also have more relaxed
permissions.
It'd be great if the above patch could be applied to the package in
20.04.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1916235/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
