1657295 – remote user can not ssh to a winbind joined system

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1657295 - remote user can not ssh to a winbind joined system

Summary: remote user can not ssh to a winbind joined system

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	authselect
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Pavel Březina
QA Contact:	Steeve Goveas
Docs Contact:	Filip Hanzelka
URL:
Whiteboard:
Depends On:	1682278
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-07 15:47 UTC by Patrik Kis
Modified:	2020-04-15 08:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.Changing `/etc/nsswitch.conf` requires a manual system reboot Any change to the `/etc/nsswitch.conf` file, for example running the `authselect select profile_id` command, requires a system reboot so that all relevant processes use the updated version of the `/etc/nsswitch.conf` file. If a system reboot is not possible, restart the service that joins your system to Active Directory, which is the `System Security Services Daemon` (SSSD) or `winbind`.
Clone Of:
Environment:
Last Closed:	2019-06-11 10:32:21 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Patrik Kis 2018-12-07 15:47:07 UTC

Description of problem:
With the new authselect ssh login does not work for remote users when the system was joined to AD with winbind.
The issue is caused by this change:
"session     required    pam_systemd.so"
what used to be:
"-session    optional     pam_systemd.so"

If the problem is in the systemd pam module forward the bug to systemd please.

Version-Release number of selected component (if applicable):
authselect-1.0-8.el8
systemd-239-8.el8

How reproducible:
always

Steps to Reproduce:
1. join the system to AD with realmd. Eg.
# realm -v join --user=admin --client-software=winbind --membership-software=samba  <AD>
...

2. Try to login
# ssh <user>@<AD>@localhost
...
Last login: Fri Dec  7 10:37:35 2018 from 127.0.0.1
Connection to 127.0.0.1 closed.


Actual results: Logs:


 sshd[22113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1  user=user
 sshd[22113]: pam_winbind(sshd:auth): getting password (0x00000390)
 sshd[22113]: pam_winbind(sshd:auth): pam_get_item returned a password
 sshd[22113]: pam_winbind(sshd:auth): user 'AD\user' granted access
 sshd[22113]: pam_winbind(sshd:account): user 'AD\user' granted access
 sshd[22113]: Accepted password for user from 127.0.0.1 port 32838 ssh2
 sshd[22113]: pam_systemd(sshd:session): pam-systemd initializing
 sshd[22113]: pam_systemd(sshd:session): Asking logind to create session: uid=2001103 pid=22113 service=sshd type=tty class=user desktop= seat= vtnr=0 tty= display= remote=yes remote_user= remote_host=127.0.0.1
 sshd[22113]: pam_systemd(sshd:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a
 sshd[22113]: pam_systemd(sshd:session): Failed to create session: No such file or directory
 sshd[22113]: pam_unix(sshd:session): session opened for user AD\user by (uid=0)
 sshd[22113]: error: PAM: pam_open_session(): System error
 sshd[22116]: Received disconnect from 127.0.0.1 port 32838:11: disconnected by user
 sshd[22116]: Disconnected from user user 127.0.0.1 port 32838
 sshd[22113]: pam_winbind(sshd:setcred): user 'AD\user' OK

Comment 1 Sumit Bose 2018-12-11 12:11:18 UTC

I think the underlying reason for this is that logind does not re-read /etc/nsswitch.conf and hence is not aware of nss-winbind and the new users served by winbind.

I can make the test pass with:

diff --git a/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh b/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh
index ca83832..01a5875 100755
--- a/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh
+++ b/Regression/bz1484072-realmd-join-add-deprecated-options-to-samba-file/runtest.sh
@@ -133,6 +133,7 @@ rlJournalStart
         # On slower machines the sssd and mainly winbind daemon may not be ready immediately
         echo "Winbind is slooow. Give it some time. Sleeping for 20 seconds."
         sleep 30
+        rlRun "systemctl restart systemd-logind"
         rlRun "realmd_check_join $realmd_USER $realmd_USER_PASS $realmd_REALM_DOMAIN_AD"
         # Check the home folder location (it should be user@domain all in lowercase)
         rlRun "getent passwd $realmd_USER@$realmd_REALM_DOMAIN_AD &>id.log"


Not sure what is the best way forward here. authselect can signal/restart logind whenever /etc/nsswitch.conf is touched or just print a message and let the callers do this?

Comment 2 Sumit Bose 2018-12-11 12:16:55 UTC

Ah, I forgot to say, this is not a logind issue, it will affect all long running processes which were started before authselect changed /etc/nsswitch.conf and using authconfig would lead to the same issue as well.

From nsswitch.conf man page:

"""
 Within each process that uses nsswitch.conf, the entire file is read only once.  If the file is later changed, the process will continue using the old configuration.
"""

Comment 13 Nikhil Dehadrai 2019-01-10 10:39:52 UTC

Seeing similar issue in ipa-hbac-func test suite, where 'su' command fails


Example::

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   user access to master for ftp, on master, add rule
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 15:43:47 ] :: [  BEGIN   ] :: Kinit as admin user :: actually running 'kinitAs admin Secret123'
Password for admin: 
Default principal: admin
:: [ 15:43:48 ] :: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [ 15:43:48 ] :: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [ 15:43:48 ] :: [  BEGIN   ] :: Running 'mkdir -p /home/user1'
:: [ 15:43:48 ] :: [   PASS   ] :: Command 'mkdir -p /home/user1' (Expected 0, got 0)
:: [ 15:43:48 ] :: [  BEGIN   ] :: Running 'chmod 700 /home/user1'
:: [ 15:43:48 ] :: [   PASS   ] :: Command 'chmod 700 /home/user1' (Expected 0, got 0)
:: [ 15:43:48 ] :: [  BEGIN   ] :: Running 'create_ipauser user1 user1 user1 '
:: [ 15:43:48 ] :: [   LOG    ] :: create ipa user: [user1], firstname: [user1], lastname: [user1]  password: [testpw123]
:: [ 15:43:50 ] :: [   LOG    ] :: create ipa user: [user1], password: [testpw123]
:: [ 15:43:50 ] :: [  BEGIN   ] :: add test user account :: actually running 'echo dummy123 |           ipa user-add user1                         --first 'user1'                         --last  'user1'                         --password '
------------------
Added user "user1"
------------------
  User login: user1
  First name: user1
  Last name: user1
  Full name: user1 user1
  Display name: user1 user1
  Initials: uu
  Home directory: /home/user1
  GECOS: user1 user1
  Login shell: /bin/sh
  Principal name: user1
  Principal alias: user1
  User password expiration: 20190110101351Z
  Email address: user1
  UID: 1752800006
  GID: 1752800006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
:: [ 15:43:52 ] :: [   PASS   ] :: add test user account (Expected 0, got 0)
:: [ 15:43:54 ] :: [  BEGIN   ] :: Running 'FirstKinitAs user1 dummy123 testpw123'
Using default cache: 0
Using principal: user1
Password for user1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Authenticated to Kerberos v5
Default principal: user1
:: [ 15:43:55 ] :: [   LOG    ] :: kinit as user1 with new password testpw123 was successful.
:: [ 15:43:55 ] :: [   PASS   ] :: Command 'FirstKinitAs user1 dummy123 testpw123' (Expected 0, got 0)
user1
:: [ 15:43:55 ] :: [   PASS   ] :: Command 'create_ipauser user1 user1 user1 ' (Expected 0, got 0)
:: [ 15:43:55 ] :: [  BEGIN   ] :: Running 'chown user1.user1 /home/user1'
:: [ 15:43:55 ] :: [   PASS   ] :: Command 'chown user1.user1 /home/user1' (Expected 0, got 0)
:: [ 15:43:55 ] :: [   LOG    ] :: Adding Dummy Code-Debugging
:: [ 15:43:56 ] :: [  BEGIN   ] :: Restarting systemd login service :: actually running 'systemctl restart systemd-logind'
:: [ 15:43:56 ] :: [   PASS   ] :: Restarting systemd login service (Expected 0, got 0)
:: [ 15:43:56 ] :: [  BEGIN   ] :: Running 'sleep 120'
:: [ 15:45:56 ] :: [   PASS   ] :: Command 'sleep 120' (Expected 0, got 0)
:: [ 15:45:56 ] :: [   LOG    ] :: Dummy Code-Debugging end
:: [ 15:45:56 ] :: [  BEGIN   ] :: Running 'su - user1 -c 'pwd''
su: cannot open session: System error
:: [ 15:45:56 ] :: [   FAIL   ] :: Command 'su - user1 -c 'pwd'' (Expected 0, got 1)



Logs:

[root@vm-idm-020 ~]# cat /var/log/secure | grep 'su'
Jan 10 15:40:38 vm-idm-020 su[9611]: pam_unix(su-l:session): session opened for user user1 by (uid=0)
Jan 10 15:40:38 vm-idm-020 su[9611]: pam_unix(su-l:session): session closed for user user1
Jan 10 15:40:39 vm-idm-020 sshd[9677]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user1
Jan 10 15:40:51 vm-idm-020 su[9837]: pam_unix(su-l:session): session opened for user user1 by (uid=0)
Jan 10 15:40:51 vm-idm-020 su[9837]: pam_unix(su-l:session): session closed for user user1
Jan 10 15:41:08 vm-idm-020 su[9991]: pam_unix(su-l:session): session opened for user user2 by (uid=0)
Jan 10 15:41:08 vm-idm-020 su[9991]: pam_unix(su-l:session): session closed for user user2
Jan 10 15:41:25 vm-idm-020 su[10149]: pam_unix(su-l:session): session opened for user user3 by (uid=0)
Jan 10 15:41:25 vm-idm-020 su[10149]: pam_unix(su-l:session): session closed for user user3
Jan 10 15:41:31 vm-idm-020 sshd[10247]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user1
Jan 10 15:41:32 vm-idm-020 sshd[10303]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.65.206.154 user=user3
Jan 10 15:45:56 vm-idm-020 su[11289]: pam_systemd(su-l:session): Failed to create session: Start job for unit user failed with 'failed'
Jan 10 15:45:56 vm-idm-020 su[11289]: pam_unix(su-l:session): session opened for user user1 by (uid=0)
Jan 10 15:48:04 vm-idm-020 su[11518]: pam_systemd(su-l:session): Failed to create session: Start job for unit user failed with 'failed'
Jan 10 15:48:04 vm-idm-020 su[11518]: pam_unix(su-l:session): session opened for user user2 by (uid=0)

Comment 14 Pavel Březina 2019-01-11 10:08:40 UTC

This seems to be the same a bug reported against IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1664974

Comment 15 Pavel Březina 2019-03-05 11:37:23 UTC

The commit that brought this issue up has been reverted [1]. But it should still be documented that changing nsswitch.conf requires reboot.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1643928

Comment 19 Pavel Březina 2019-06-11 10:32:21 UTC

Changes to nsswitch.conf requires reboot of the machine/daemons for the daemons to pick it up. Automatic reload of nsswitch table will be implemented in glibc [1] and authselect can not do anything about it besides documenting it. Documentation has been provided and this particular issue has been worked around in RHEL8.0. Thus closing as CURRENTRELEASE.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=132608

Note You need to log in before you can comment on or make changes to this bug.