Bug 1829572

Summary: Login fails after upgrade fo Fedora 32
Product: [Fedora] Fedora Reporter: Thomas Clark <fedoraproject>
Component: nss_nisAssignee: Matej Mužila <mmuzila>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 32CC: bugs.kde.attila, DAF1BAB1, edgar.hoch, fjanus, idosch, lnykryn, mmuzila, msekleta, rkudyba, ssahani, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: nss_nis-3.1-5.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-04 02:54:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Clark 2020-04-29 19:35:55 UTC 
Description of problem:

Following upgrade to Fedora 32, users are unable to login.  Authentication is by nis (and that seems to be the problem) with home directories mounted by automount.  

SSH login produces the following error:  "pam_systemd(sshd:session): Failed to get user record: Connection timed out" but login succeeds after the timeout.

Graphical login produces the following error:  "pam_systemd(gdm-password:session): Failed to get user record: Connection timed out" and login does not succeed.  The login screen briefly shows the "last login message" but then returns immediately to the login screen.


Version-Release number of selected component (if applicable):


How reproducible:

100%


Steps to Reproduce:
1.Upgrade to Fedora 32 while using NIS
2.Attempt to login
3.

Actual results:
Login fails


Expected results:
Login should succeed


Additional info:
Comment 1 Thomas Clark 2020-04-30 16:11:19 UTC 
I have done some more testing; the problem is definitely NIS.  An strace on sshd shows that a connection is opened to to socket /run/systemd/userdb/io.systemd.Multiplexer with a 45-second timeout.  For both users, the initial request appears to fail on a username lookup.  However, for both users the second request is a lookup by uid.  The user in /etc/passwd gets a response immediately and is logged in immediately with a file in /run/systemd/users.  The NIS user does not get a response and times out after 45 seconds.  The user is successfully logged in, but without a file in /run/systemd/users.  Desktop login is failing for the NIS user because of no /run/systemd/users file.
Comment 2 Mike 2020-05-09 15:19:51 UTC 
This was causing issues for me so I gave up waiting and I set up OpenLDAP and alongside LDAP Account Manager (LAM).  NIS has been retired here after several years service.

Mike.
Comment 3 Zbigniew Jędrzejewski-Szmek 2020-05-09 16:11:26 UTC 
Sorry for the slow reply. Does this occur with selinux enabled? If yes, does enforcing=0 help?
Comment 4 Thomas Clark 2020-05-09 16:13:07 UTC 
I already have enforcing=0.
Comment 5 Zbigniew Jędrzejewski-Szmek 2020-05-09 16:35:59 UTC 
We probably need a same work-around as for logind. Could you please test the following:

cp /usr/lib/systemd/system/systemd-logind.service.d/nss_nis.conf /usr/lib/systemd/system/systemd-userdbd.service.d/nss_nis.conf
systemctl daemon-reload && systemctl restart systemd-userdbd

I don't have a nis setup at hand to test this unfortunately. If that works, I'd submit it as
PR for the nss_nis package.
Comment 6 Thomas Clark 2020-05-09 16:50:28 UTC 
That indeed works!  I haven't figured out why yet, but I'll take it.  Thanks!
Comment 7 Zbigniew Jędrzejewski-Szmek 2020-05-10 20:04:14 UTC 
https://src.fedoraproject.org/rpms/nss_nis/pull-request/1
Comment 8 Zbigniew Jędrzejewski-Szmek 2020-05-20 06:58:26 UTC 
*** Bug 1837808 has been marked as a duplicate of this bug. ***
Comment 9 Zbigniew Jędrzejewski-Szmek 2020-05-20 13:22:10 UTC 
Ping.
Comment 10 Edgar Hoch 2020-05-20 22:58:05 UTC 
Maintainer, please build new packages with includes the fix (pull-request).
Comment 11 Fedora Update System 2020-05-21 08:24:47 UTC 
FEDORA-2020-bb323f2ec3 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb323f2ec3
Comment 12 Fedora Update System 2020-05-22 04:23:45 UTC 
FEDORA-2020-bb323f2ec3 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bb323f2ec3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb323f2ec3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Thomas Clark 2020-05-22 13:28:31 UTC 
The problem is resolved.  Thank you!
Comment 14 Attila 2020-05-23 12:41:58 UTC 
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> We probably need a same work-around as for logind. Could you please test the
> following:
> 
> cp /usr/lib/systemd/system/systemd-logind.service.d/nss_nis.conf
> /usr/lib/systemd/system/systemd-userdbd.service.d/nss_nis.conf
> systemctl daemon-reload && systemctl restart systemd-userdbd

Thank you. It works for me too.
Comment 15 Thomas Clark 2020-06-03 16:00:17 UTC 
Is there anybody who can push this update? It's been in testing almost 2 weeks.
Comment 16 Fedora Update System 2020-06-04 02:54:09 UTC 
FEDORA-2020-bb323f2ec3 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.