Description of problem:
Following upgrade to Fedora 32, users are unable to login. Authentication is by nis (and that seems to be the problem) with home directories mounted by automount.
SSH login produces the following error: "pam_systemd(sshd:session): Failed to get user record: Connection timed out" but login succeeds after the timeout.
Graphical login produces the following error: "pam_systemd(gdm-password:session): Failed to get user record: Connection timed out" and login does not succeed. The login screen briefly shows the "last login message" but then returns immediately to the login screen.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Upgrade to Fedora 32 while using NIS
2.Attempt to login
Login should succeed
I have done some more testing; the problem is definitely NIS. An strace on sshd shows that a connection is opened to to socket /run/systemd/userdb/io.systemd.Multiplexer with a 45-second timeout. For both users, the initial request appears to fail on a username lookup. However, for both users the second request is a lookup by uid. The user in /etc/passwd gets a response immediately and is logged in immediately with a file in /run/systemd/users. The NIS user does not get a response and times out after 45 seconds. The user is successfully logged in, but without a file in /run/systemd/users. Desktop login is failing for the NIS user because of no /run/systemd/users file.
This was causing issues for me so I gave up waiting and I set up OpenLDAP and alongside LDAP Account Manager (LAM). NIS has been retired here after several years service.
Sorry for the slow reply. Does this occur with selinux enabled? If yes, does enforcing=0 help?
I already have enforcing=0.
We probably need a same work-around as for logind. Could you please test the following:
cp /usr/lib/systemd/system/systemd-logind.service.d/nss_nis.conf /usr/lib/systemd/system/systemd-userdbd.service.d/nss_nis.conf
systemctl daemon-reload && systemctl restart systemd-userdbd
I don't have a nis setup at hand to test this unfortunately. If that works, I'd submit it as
PR for the nss_nis package.
That indeed works! I haven't figured out why yet, but I'll take it. Thanks!
*** Bug 1837808 has been marked as a duplicate of this bug. ***
Maintainer, please build new packages with includes the fix (pull-request).
FEDORA-2020-bb323f2ec3 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb323f2ec3
FEDORA-2020-bb323f2ec3 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-bb323f2ec3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb323f2ec3
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The problem is resolved. Thank you!
(In reply to Zbigniew Jędrzejewski-Szmek from comment #5)
> We probably need a same work-around as for logind. Could you please test the
> cp /usr/lib/systemd/system/systemd-logind.service.d/nss_nis.conf
> systemctl daemon-reload && systemctl restart systemd-userdbd
Thank you. It works for me too.