Hide Forgot
Description of problem: We upgraded one of ours servers - which uses NSS/NIS - from Fedora 27 to Fedora 28 and faced timeouts in systemd-logind. This causes ssh logins to take 25 seconds to complete. The problem is further described here [1] and fixed by setting IPAddressDeny= in systemd-logind service file. Also described in systemd 235 release notes [2]: " Downstream distributions might want to update their nss-nis packaging to include such a drop-in snippet, accordingly, to hide this incompatibility from the user. " Thanks. 1. https://github.com/systemd/systemd/issues/7074 2. https://github.com/systemd/systemd/commit/2bcbffd6db8efe8f0cc2f2b01d407a326247176d
Yes, this is very annoying bug that hit my 28 servers too. It would be important to have an official fix rather than starting to patch things by hand. This bug affects everyone running NIS, so this should be high priority.
We also experience the same problem. The proposed solution given above works for us and it seems to suggest a "drop-in" file to be added in the nss_nis package with [Service] IPAddressDeny= and placed in /lib/systemd/system/systemd-logind.service.d I think it should be done upstream, but in the meantime an rpm with the fix seems in order...
I got also crashes from other systemd services, e.g. systemd-udevd, because they also need to look up hosts, users, groups, netgroups, etc., using nis (if nis is an entry in lines in /etc/nsswitch.conf). So the "workaround" should also be done for (all?) other systemd services that uses the same mechanism. # grep -ri IPAddressDeny /usr/lib/systemd/system/ /usr/lib/systemd/system/systemd-timedated.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-logind.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-machined.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-journald.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-udevd.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-localed.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-coredump@.service:IPAddressDeny=any /usr/lib/systemd/system/systemd-hostnamed.service:IPAddressDeny=any I am currently trying using nscd instead of allowing networking for these services, but I don't currently know if this solves all problems, because nscd does not cache all nis maps (as far as I know, e.g. ethers.byname, ethers.byaddr, auto.master, auto.home, mail.aliases), but it may be that these systemd services don't need access to these nis maps.
nss_nis-3.0-6.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9
nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-78f95660f9
nss_nis-3.0-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.