Bug 1575297 - No login possible for NIS users on fedora 28
Summary: No login possible for NIS users on fedora 28
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: authselect   
(Show other bugs)
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Pavel Březina
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-05 19:28 UTC by Tom Horsley
Modified: 2018-12-14 00:55 UTC (History)
19 users (show)

Fixed In Version: authselect-1.0-1.fc28
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-08-22 01:26:41 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Tom Horsley 2018-05-05 19:28:23 UTC
Description of problem:

I have no idea which component this should be reported against, I just picked nss_nis as one of the ones involved. I see fedora 28 switched to a new nis with ipv6 changes and switched authconfig to authselect, so I have no clue what might be broken. I just know that I can't login as an nis user after setting up a new fedora 28 install just like I have setup every version of fedora in the past (and they all worked). It is getting /etc/yp.conf set by DHCP. It is running the ypbind service. I can do a "ypcat passwd" and see the users listed. I see files on NFS directories showing up in "ls -l" with the NIS owner and group listed correctly. The users's shell is listed in /etc/shells. The user's home directory is NFS mounted, but no login is possible as that user. I always get some kind of authentication failure, like:

May 4 15:14:38 tomh login: FAILED LOGIN 1 FROM tty3 FOR tom, Authentication failure
May 4 15:02:18 tomh sshd[13139]: fatal: Access denied for user tom by PAM account configuration [preauth]

The first is from a console login attempt, the second from ssh.


Version-Release number of selected component (if applicable):
nss_nis-3.0-3.fc28.x86_64
authselect-0.4-2.fc28.x86_64
pam-1.3.0-10.fc28.x86_64
ypbind-2.4-7.fc28.x86_64
sssd-1.16.1-3.fc28.x86_64


How reproducible:
100% on the one system I've tried to configure for NIS

Steps to Reproduce:
1. Make sure yp.conf is correct
2. enable the ypbind.service
3. Add "nis" to the passwd shadow and group lines in /etc/nsswitch.conf

Actual results:
Login for nis users denied

Expected results:
Login works for nis users like it did in all previous fedoras

Additional info:

Here's a thread with more info in the fedora users mailing list:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/thread/DK4KGT3XXLHJ3PXHNG6KVKNFJHR455V3/

Comment 1 Andrew M. Shooman 2018-05-07 13:58:06 UTC
Same problem.
Console login to NIS user fails.
Remote ssh login to NIS user succeeds but with very long delay.
Please advise on information to collect from the remote session to help with the investigation.
Thanks.

Comment 2 Ed Greshko 2018-05-07 14:29:26 UTC
FWIW, the problem seems to be on the client side.

I created 2 VM's (a client and a server) both running F28.  I then verified the problem.  I also used wireshark to trace the communication between them and it looked OK.  The server returned the pw to the client.

I then created a 3rd VM as a client running F27.  From F27 I am able to login as the NIS user.

So, something appears amiss on the F28 client side.

Comment 3 Tom Horsley 2018-05-07 16:18:46 UTC
Correction to original report: I don't see the user names show up in "ls", I just see the uid. Not sure if they once appeared, or if I was looking at the wrong things when I made that observation. (I do get valid ypcat passwd output though).

Comment 4 Ed Greshko 2018-05-07 23:40:10 UTC
(In reply to Tom Horsley from comment #3)
> Correction to original report: I don't see the user names show up in "ls", I
> just see the uid. Not sure if they once appeared, or if I was looking at the
> wrong things when I made that observation. (I do get valid ypcat passwd
> output though).

I do see the user name.  The host f28xfce is the client system....

[egreshko@meimei ~]$ ssh 192.168.1.81
egreshko@192.168.1.81's password: 
Last login: Mon May  7 22:56:46 2018 from 192.168.1.18

[egreshko@f28xfce ~]$ su - maria
Password: 
su: Authentication failure

[egreshko@f28xfce ~]$ su -
Password: 
Last login: Mon May  7 22:33:08 CST 2018 on pts/2

[root@f28xfce ~]# su - maria
Last login: Mon May  7 21:47:40 CST 2018 on pts/2
Last failed login: Tue May  8 07:37:36 CST 2018 on pts/2
There were 9 failed login attempts since the last successful login.

[maria@f28xfce ~]$ whoami
maria

[maria@f28xfce ~]$ ll
total 0

[maria@f28xfce ~]$ touch test
[maria@f28xfce ~]$ ll
total 0
-rw-rw-r--. 1 maria maria 0 May  8 07:38 test

Comment 5 Tom Horsley 2018-05-07 23:54:51 UTC
OK, so maybe I did see them at first, but they are gone now (after various experiments which may have busted something more thoroughly :-).

Comment 6 Tom Horsley 2018-05-08 13:24:21 UTC
(In reply to Tom Horsley from comment #5)
> OK, so maybe I did see them at first, but they are gone now (after various
> experiments which may have busted something more thoroughly :-).

Yep, it was my experimenting. There was some bits of sssd still enabled, I disabled them, and the names started showing up in ls output again. If I really need to run as an NIS user now, I can login as root then "su -l nisuser" and that seems to work.

Comment 7 James Szinger 2018-05-08 14:25:46 UTC
Possible duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1574959 "Set IPAddressDeny= in systemd-logind service file".  At least the symptoms sound similar.  Does the workaround in https://github.com/systemd/systemd/issues/7074 "systemd-logind's IP sandbox breaks nss-nis and suchlike" help?

Comment 8 Tom Horsley 2018-05-08 15:38:07 UTC
I changed the systemd-logind service file as described and even rebooted to make sure absolutely everything got re-initialized, I still get this from an ssh attempt:

May  8 11:33:43 tomh sshd[2774]: fatal: Access denied for user tom by PAM account configuration [preauth]

Was there some change to pam to remove NIS support?

Comment 9 Ed Greshko 2018-05-08 22:51:09 UTC
(In reply to Tom Horsley from comment #8)

> May  8 11:33:43 tomh sshd[2774]: fatal: Access denied for user tom by PAM
> account configuration [preauth]
> 
> Was there some change to pam to remove NIS support?

I too made the changes suggested in comment #7.  It did not fix the problem for me either.

One thing though.  My error message in the logs is different.  I get,

May 09 06:43:52 f28xfce.greshko.com sshd[11836]: Failed password for maria from 192.168.1.18 port 55602 ssh2

In my attempts to solve the problem, I did create a sssd.conf file on the client containing.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
debug_level = 2

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75

No help, of course.  :-(

Comment 10 jerrylu2008 2018-05-09 12:17:14 UTC
Have a try to edit the following file.
/etc/pam.d/password-auth

Then comment the following line.

#auth        [default=1 ignore=ignore success=ok]         pam_localuser.so

Comment 11 jerrylu2008 2018-05-09 12:28:10 UTC
Also edit /etc/pam.d/system-auth then comment the following line.

#auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
#account     sufficient                                   pam_localuser.so

Comment 12 Tom Horsley 2018-05-09 13:33:52 UTC
Just tried commenting out the above localuser lines in the two files. No change, still getting the same error:

May  9 09:31:34 tomh sshd[9158]: fatal: Access denied for user tom by PAM account configuration [preauth]

I didn't reboot or anything, is something additional required to make pam config files take effect?

Comment 13 Ed Greshko 2018-05-09 13:45:24 UTC
I have made those changes to the client side and it is now working for me.

[egreshko@meimei ~]$ ssh maria@192.168.1.81
maria@192.168.1.81's password: 
Last login: Wed May  9 21:34:22 2018 from 192.168.1.18
[maria@f28xfce ~]$ grep maria /etc/passwd
[maria@f28xfce ~]$

This brings up a few questions such as....

Why were these lines added?
Will commenting them have a downside?
Since those files are generated by authselect won't the changes be reverted at some point?

Comment 14 Tom Horsley 2018-05-09 14:26:51 UTC
And does this mean NIS will only work if I also enable sssd and install the config file described above? Because just changing the pam.d files didn't work for me.

Comment 15 Ed Greshko 2018-05-09 14:37:39 UTC
(In reply to Tom Horsley from comment #14)
> And does this mean NIS will only work if I also enable sssd and install the
> config file described above? Because just changing the pam.d files didn't
> work for me.

Just for completeness, this is my nsswitch.conf 

# Generated by authselect on Wed Apr  4 20:58:48 2018
# Do not modify this file manually.

passwd:     sss files nis
group:      sss files nis
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss

shadow:     files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname

aliases:    files nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus

And my sssd.conf I've alaready posted....


And....   I just found the answer to one of my questions.  There is a downside to making those changes.

[egreshko@meimei ~]$ ssh maria@192.168.1.81
maria@192.168.1.81's password: 
Last login: Wed May  9 22:32:02 2018 from 192.168.1.18
[maria@f28xfce ~]$ su -
su: Authentication failure

I can no longer su to root!  Not so good...

sudo still works.

Comment 16 jerrylu2008 2018-05-10 02:30:59 UTC
Let me summarize what I did.

1. # yum install libnsl nss_nis ypbind autofs
2. Disable selinux on /etc/selinux/config
3. # yum remove firewalld (optional)
4. # systemctl enable ypbind
5. # systemctl enable autofs
6. # vi /etc/nsswitch.conf
passwd:     files nis
group:      files nis
netgroup:   files nis
automount:  files nis
services:   files
sudoers:    files

shadow:     files nis
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
hosts:      files dns

aliases:    files nisplus
bootparams: nisplus files
publickey:  nisplus

7. vi /lib/systemd/system/systemd-udevd.service (Comment #IPAddressDeny=any)
8. vi /lib/systemd/system/systemd-logind.service (Comment #IPAddressDeny=any)
9. vi /etc/pam.d/password-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
#auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
#account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
#session     optional                                     pam_sss.so

10. vi /etc/pam.d/system-auth
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
#auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
#auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
#account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
#account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
#session     optional                                     pam_sss.so

11. # yum remove sssd
12. # yum remove authselect
13. # yum install libnsl nss_nis
14. # reboot

Comment 17 jerrylu2008 2018-05-10 02:39:26 UTC
(In reply to Ed Greshko from comment #15)
> (In reply to Tom Horsley from comment #14)
> > And does this mean NIS will only work if I also enable sssd and install the
> > config file described above? Because just changing the pam.d files didn't
> > work for me.
> 
> Just for completeness, this is my nsswitch.conf 
> 
> # Generated by authselect on Wed Apr  4 20:58:48 2018
> # Do not modify this file manually.
> 
> passwd:     sss files nis
> group:      sss files nis
> netgroup:   sss files
> automount:  sss files
> services:   sss files
> sudoers:    files sss
> 
> shadow:     files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname
> 
> aliases:    files nisplus
> bootparams: nisplus [NOTFOUND=return] files
> publickey:  nisplus
> 
> And my sssd.conf I've alaready posted....
> 
> 
> And....   I just found the answer to one of my questions.  There is a
> downside to making those changes.
> 
> [egreshko@meimei ~]$ ssh maria@192.168.1.81
> maria@192.168.1.81's password: 
> Last login: Wed May  9 22:32:02 2018 from 192.168.1.18
> [maria@f28xfce ~]$ su -
> su: Authentication failure
> 
> I can no longer su to root!  Not so good...
> 
> sudo still works.


Comment the following line from /etc/pam.d/system-auth & /etc/pam.d/password-auth

#auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet

Comment 18 Ed Greshko 2018-05-10 04:27:42 UTC
(In reply to jerrylu2008 from comment #17)
 
> Comment the following line from /etc/pam.d/system-auth &
> /etc/pam.d/password-auth
> 
> #auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so
> uid >= 1000 quiet

OK, this fixes (works-around) the problem of not being able to "su -".

So, it seems, all the "fixes" I needed to get this working was changes to pam. 

This would seem to indicate a BZ is needed with pam as the package needing fixes?

Comment 19 Tom Horsley 2018-05-10 12:36:06 UTC
I just got NIS working in a somewhat similar way to comment #16

in /lib/systemd/system/systemd-udevd.service and
/lib/systemd/system/systemd-logind.service, I commented out the line

#IPAddressDeny=any

Then I copied my fedora 27 versions of password-auth and system-auth into my fedora 28 /etc/pam.d directory (saving the f28 versions in case I needed to put them back).

I had already point passwd, group and shadow at "files nis" in /etc/nsswitch.conf and installed and enabled ypbind.

I didn't remove sssd, I just made sure it was disabled.

Then I rebooted and everything is working again. I can use "su", I can login as an NIS user, I can login as a local user. It is all back to normal.

Maybe an "nis" config for authselect is what is needed?

Comment 20 Bryan Clingman 2018-05-15 20:23:59 UTC
Adding to the above comments, I was able to get mine to work by adding nis to the /etc/authselect/nsswitch.conf file.  Re-running authselect breaks this.

Confounding the issue is that authselect does not understand mdns4 (i.e. it would remove the mdns4_minimal line from nsswitch.conf), so my configuration would not work until I had both name resolution and nis lookup working.

mdns issue is documented here:  https://bugzilla.redhat.com/show_bug.cgi?id=1577243

Comment 21 Matej Mužila 2018-05-21 13:52:45 UTC
Hi,

there was a missing dependency in ypbind-2.4-7.fc28.x86_64 to nss_nis. This was fixed in ypbind-2.4-8.fc28.x86_64.

Although there are problems with login, the ypbind itself seems to work well. I'm moving the bug to authselect.

Comment 22 RobbieTheK 2018-05-23 22:37:12 UTC
Any idea if there will be a 32 bit RPM pushed for Fedora 28?

Comment 23 Pavel Březina 2018-05-28 10:54:01 UTC
To summarize, removing lines 5 and 6 from [1] fix this issue?

In general, authselect do not provide any native support for NIS anymore as authconfig did so manual changes are needed or a custom profile for authselect needs to be created. Given how many users are involved in this BZ, we will consider providing some level of support in upstream.

[1] https://github.com/pbrezina/authselect/blob/master/profiles/sssd/system-auth#L5

Comment 24 RobbieTheK 2018-05-31 17:33:52 UTC
I created a BZ at https://bugzilla.redhat.com/show_bug.cgi?id=1576558 and when I reboot a 64-bit Fedora 28 server with nis in the /etc/nsswitch.conf file, systemd-login just keeps coredumping and I can never get to a login prompt. Once I remove the nis entries in the /etc/nsswitch.conf I can get to the desktop login manager (or ssh) and login as a local (non-NIS) user. I can then enable NIS logins by adding the nis entries back into the /etc/nsswitch.conf file and NIS users can then log in. Why would systemd-logind continue to crash even after I commented out, i.e., #IPAddressDeny=any, in /lib/systemd/system/systemd-udevd.service and /lib/systemd/system/systemd-logind.service?

Comment 25 Pavel Březina 2018-07-04 10:58:55 UTC
We decided to create an authselect profil for NIS to setup nsswitch.conf and PAM.

Upstream ticket:
https://github.com/pbrezina/authselect/issues/61

Comment 26 Tom Horsley 2018-07-18 11:22:21 UTC
So does this mean NIS still won't work when I install fedora 29 until I manually run authselect to change to the NIS profile?

Comment 27 Jakub Hrozek 2018-07-18 12:09:42 UTC
(In reply to Tom Horsley from comment #26)
> So does this mean NIS still won't work when I install fedora 29 until I
> manually run authselect to change to the NIS profile?

Yes

Comment 28 Fedora Update System 2018-08-14 10:48:35 UTC
authselect-1.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2dd06e12ff

Comment 29 Fedora Update System 2018-08-14 22:42:27 UTC
authselect-1.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2dd06e12ff

Comment 30 John Kissane 2018-08-20 09:43:27 UTC
I ran into this problem also while testing a kickstart install of Fedora 28. Previous script for F27 used authconfig to configure NIS. The test version of authselect allowed me to select NIS successfully. 

Do you need to add the entry  to the yp.conf file manually now as authconfig took the domain & servers a parameter & updated the file eg:

authconfig --enableshadow --enablemd5 --enablenis --nisdomain=DOMAIN --nisserver=SERVER --enablecach

Comment 31 Pavel Březina 2018-08-20 10:27:22 UTC
Thank you for testing. The test version of authselect also provides updated authconfig compatibility tool which supports --enablenis, --nisdomain and --nisserver so if you install F28 with updated packages the kickstart with authconfig script should configure system correctly.

Comment 32 John Kissane 2018-08-20 13:37:11 UTC
(In reply to Pavel Březina from comment #31)
> Thank you for testing. The test version of authselect also provides updated
> authconfig compatibility tool which supports --enablenis, --nisdomain and
> --nisserver so if you install F28 with updated packages the kickstart with
> authconfig script should configure system correctly.

Thank you, that worked perfectly!

authconfig --enablenis --nisdomain=DOMAIN --nisserver=server --updateall

Comment 33 Pavel Březina 2018-08-21 07:44:59 UTC
If it works for you, can you give karma and provide feedback at [1] please?

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2018-2dd06e12ff

Comment 34 John Kissane 2018-08-21 08:02:02 UTC
(In reply to Pavel Březina from comment #33)
> If it works for you, can you give karma and provide feedback at [1] please?
> 
> [1] https://bodhi.fedoraproject.org/updates/FEDORA-2018-2dd06e12ff

I already did but it shows me as anonymous.

Comment 35 Fedora Update System 2018-08-22 01:26:41 UTC
authselect-1.0-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 36 Nigel Arnot 2018-08-23 09:41:14 UTC
Hi there,

There seems to be a related problem with kickstart deployments of Fedora 28. Booting off Fedora-Server-netinst-x86_64-28-1.1.iso (2018-04-25), the install fails with

Problem: conflicting requests
- nothing provides authselect (x86-64) = 0.4-1.fc28 needed by authselect-compat-0.4-1.fc28.x86_64
- nothing provides authselect (x86-64) = 1.0-1.fc28 needed by authselect-compat-1.0-1.fc28.x86_64

The kickstart file contains these relevant lines:
repo --name=updates --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f28&arch=x86_64
authconfig  --enableshadow  --passalgo=sha512 --enablenis --nisdomain=REDACTED --nisserver=192.168.99.99 --disablesssd --disablesssdauth

Is there a need to provide updated .iso images? Is there any other work-around?

I can confirm that dnf system-upgrade of a working Fedora 27 system using NIS for logins, now results in a working Fedora-28 system still using NIS.

For now I can kickstart-install Fedora 27 and then immediately upgrade to Fedora 28, but this will become a problem some time after Fedora 29 ships and Fedora 27 goes EOL.

Comment 37 Nigel Arnot 2018-08-23 14:15:52 UTC
Ignore my previous comment (#36) as far as kickstart installation is concerned. It works, with the repo and authconfig lines as specified. Fedora 28 is go.

(I'd corrupted the packages list in my fedora 28 development KS file).


Note You need to log in before you can comment on or make changes to this bug.