2082843 – pam_systemd(sshd:session): Failed to get user record: No such process

Bug 2082843 - pam_systemd(sshd:session): Failed to get user record: No such process

Summary: pam_systemd(sshd:session): Failed to get user record: No such process

Keywords:
Status:	CLOSED DUPLICATE of bug 1831141
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-05-07 18:58 UTC by Edgar Hoch
Modified:	2022-12-11 10:33 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-08-26 08:21:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Edgar Hoch 2022-05-07 18:58:31 UTC

Description of problem:

On Fedora 36 users in nis database cannot login on graphical desktop (e.g. GNOME).

I have installed a system with Fedora 36 (RC5; without and with packages from updates-testing), using the same configuration as for Fedora 35.

NIS users can login on Fedora 35 systems, but not on Fedora 36 systems.


If using ssh, users can log in, but the system log contains a line like this:

sshd[17565]: pam_systemd(sshd:session): Failed to get user record: No such process


If using desktop with gdm, then the user cannot log in and lines like this are logged:

gdm-password][13488]: pam_systemd(gdm-password:session): Failed to get user record: Kein passender Prozess gefunden
gdm-password][13488]: pam_unix(gdm-password:session): session opened for user myusername(uid=XXXX) by (uid=0)
gdm-password][13488]: gkr-pam: unable to locate daemon control file
...
dbus-daemon[13513]: [session uid=XXXX pid=13513] Activating service name='org.freedesktop.systemd1' requested by ':1.0' (uid=XXXX pid=13511 comm="/usr/libexec/gdm-wayland-session /usr/bin/gnome-se" label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
dbus-daemon[13513]: [session uid=XXXX pid=13513] Activated service 'org.freedesktop.systemd1' failed: Process org.freedesktop.systemd1 exited with status 1
...
pam_unix(gdm-password:session): session closed for user myusername


I have investigated the problem and found that "userdbctl" has changed the behavior and also doesn't find the user.

> userdbctl user myusername
User myusername does not exist.

>userdbctl --service=x user myusername
Enabled services: x
   User name: myusername
 Disposition: regular
 Last Passw.: Mon 2018-02-12 01:00:00 CET
    Login OK: yes
 Password OK: yes
         UID: XXXX
         GID: YYYY (groupy)
 Aux. Groups: group1
              group2
   Real Name: My Name
   Directory: /home/myusername
     Storage: classic
       Shell: /bin/bash
 Passwd Chg.: max 5y 5month 3w 13h 30min/warn 4w 2d
Pas. Ch. Now: no
   Passwords: 1

lists the complete nis user data. The value after "--service=" seems to be ignored, any value results in the same data.


On Fedora 35 both commands return user data, but differ in shadow data:

> userdbctl user myusername
   User name: myusername
 Disposition: regular
    Login OK: yes
 Password OK: yes
         UID: XXXX
         GID: YYYY (groupy)
 Aux. Groups: group1
              group2
   Real Name: My Name
   Directory: /home/myusername
     Storage: classic
       Shell: /bin/bash
   Passwords: none
     Service: io.systemd.NameServiceSwitch


> userdbctl --service=x user myusername
Enabled services: x
   User name: myusername
 Disposition: regular
 Last Passw.: Mon 2018-02-12 01:00:00 CET
    Login OK: yes
 Password OK: yes
         UID: XXXX
         GID: YYYY (groupy)
 Aux. Groups: group1
              group2
   Real Name: My Name
   Directory: /home/myusername
     Storage: classic
       Shell: /bin/bash
 Passwd Chg.: max 5y 5month 3w 13h 30min/warn 4w 2d
Pas. Ch. Now: no
   Passwords: 1


I know nscd was removed from Fedora 36. But on Fedora 35 users can log in with and without running nscd. So it should be the case on Fedora 36.

I use authselect with profile nis:

> LANG=C authselect current
Profile ID: nis
Enabled features:
- with-nispwquality
- without-nullok


So nss is configured to use nis:

> grep passwd /etc/nsswitch.conf 
passwd:     files nis systemd


Has anyone an idea what has changed in Fedora 36, what may be the reason for this behavior?
Is it an error in systemd or glibc or nss_nis, or an access problem (SELinux, sandbox)?

Do I need to change some files?


I looked at userdbctl with strace and ltrace and found that it communicates with /run/systemd/userdb/io.systemd.Multiplexer, but I don't know how to see what the processes at the other end of the socked does.


>strace -s 200 -v -f userdbctl user myusername
...
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.Multiplexer"}, 45) = 0
epoll_create1(EPOLL_CLOEXEC)            = 4
timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC|TFD_NONBLOCK) = 5
epoll_ctl(4, EPOLL_CTL_ADD, 5, {events=EPOLLIN, data={u32=2994818672, u64=94569584742000}}) = 0
epoll_ctl(4, EPOLL_CTL_ADD, 3, {events=0, data={u32=2994820880, u64=94569584744208}}) = 0
gettid()                                = 18613
futex(0x7f0b375ec424, FUTEX_WAKE_PRIVATE, 2147483647) = 0
epoll_ctl(4, EPOLL_CTL_MOD, 3, {events=EPOLLIN|EPOLLOUT, data={u32=2994820880, u64=94569584744208}}) = 0
openat(AT_FDCWD, "/proc/sys/kernel/random/boot_id", O_RDONLY|O_NOCTTY|O_CLOEXEC) = 6
read(6, "e5d2bfc0-7213-4232-a385-8aec869b5718\n", 38) = 37
read(6, "", 1)                          = 0
close(6)                                = 0
timerfd_settime(5, TFD_TIMER_ABSTIME, {it_interval={tv_sec=0, tv_nsec=0}, it_value={tv_sec=29552, tv_nsec=738102000}}, NULL) = 0
epoll_wait(4, [{events=EPOLLOUT, data={u32=2994820880, u64=94569584744208}}], 8, 0) = 1
timerfd_create(CLOCK_BOOTTIME, TFD_CLOEXEC|TFD_NONBLOCK) = 6
close(6)                                = 0
sendto(3, "{\"method\":\"io.systemd.UserDatabase.GetUserRecord\",\"parameters\":{\"userName\":\"myusername\",\"service\":\"io.systemd.Multiplexer\"}}\0", 120, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 120
epoll_ctl(4, EPOLL_CTL_MOD, 3, {events=EPOLLIN, data={u32=2994820880, u64=94569584744208}}) = 0
epoll_wait(4, [], 8, 0)                 = 0
mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b3728a000
recvfrom(3, "{\"error\":\"io.systemd.UserDatabase.NoRecordFound\",\"parameters\":{}}\0", 135152, MSG_DONTWAIT, NULL, NULL) = 66
epoll_ctl(4, EPOLL_CTL_MOD, 3, {events=0, data={u32=2994820880, u64=94569584744208}}) = 0
epoll_wait(4, [], 8, 0)                 = 0
epoll_wait(4, [], 8, 0)                 = 0
epoll_ctl(4, EPOLL_CTL_DEL, 3, NULL)    = 0
close(3)                                = 0
...


I have set systemd logging to debug level. Loging in with ssh has created the following lines:


varlink: New incoming connection.
varlink: Connections of user 0: 0 (of 1024 max)
varlink-25: Setting state idle-server
varlink-25: New incoming message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"myusername","service":"io.systemd.DynamicUser"}}
varlink-25: Changing state idle-server → processing-method
varlink-25: Sending message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
varlink-25: Changing state processing-method → processed-method
varlink-25: Changing state processed-method → idle-server
varlink-25: Got POLLHUP from socket.
varlink-25: Changing state idle-server → pending-disconnect
varlink-25: Changing state pending-disconnect → processing-disconnect
varlink-25: Changing state processing-disconnect → disconnected





Version-Release number of selected component (if applicable):
systemd-250.3-8.fc36.x86_64
glibc-2.35-5.fc36.x86_64
authselect-1.3.0-10.fc36.x86_64
nss_nis-3.1-11.fc36.x86_64
ypbind-2.7.2-8.fc36.x86_64
pam-1.5.2-12.fc36.x86_64


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Edgar Hoch 2022-05-07 19:14:45 UTC

I want to mention that the nis users are known to the Fedora 36 system. "finger myusername", "id myusername", etc. works. But login on the desktop fails.

Comment 2 Edgar Hoch 2022-05-18 23:42:23 UTC

I have made additional tests:

After reboot, "userdbctl user myusername" fails ("User myusername does not exist").
But if I restart systemd-userdbd.service, then "userdbctl user myusername" prints a full list of user information, e.g. it works.

It seams to me that systemd-userdbd cannot access some services (?) that was not running while systemd-userdbd was started, but if it is restarted later, then it can access these services.

I think systemd-userdbd wanted to access ypbind, but ypbind is started after systemd-userdbd, and systemd-userdbd doesn't check later if ypbind will be available.

I have tried to create a dependency of systemd-userdbd on ypbind (After=ypbind.service), but this would create an unresolvable circular dependency, so this is no solution. Maybe I need a mechanism that restarts systemd-userdbd after ypbind has successful started and is bound to a nis server?

Or better, systemd-userdbd should check for available services not only during start, but also later?

Comment 3 David Tardon 2022-08-26 08:21:20 UTC


*** This bug has been marked as a duplicate of bug 1831141 ***

Comment 4 Terry Barnaby 2022-12-11 10:33:35 UTC

I am having effectively the same issue on Fedora37.
In my case I am using KDE/Plasma with sddm under X11. In my case users authenticated using NIS can logon fine, but they have no access to audio.
There is no /run/users/<userid> directory for them and XDG_RUNTIME_DIR is not set.

Running "systemctl restart systemd-userdbd" fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.