[opensuse-factory] NIS/YP Login trouble after update yesterday
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs. "journalctl -a" delivers: nscd[1454]: rpc: failed to open /etc/netconfig ... login[3865]: pam_systemd(login:session): Failed to release session: Interrupted system call So I removed nscd via "zypper rm nscd" and afterwords installed him again via "zypper in nscd". A short test on two deviating devices delivers that the login now runs like expected. Is there any error in the update script or configs? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Oct 11, ub22@gmx.net wrote:
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
"journalctl -a" delivers:
nscd[1454]: rpc: failed to open /etc/netconfig
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 10:49:40 CEST schrieb Thorsten Kukuk:
On Wed, Oct 11, ub22@gmx.net wrote:
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
"journalctl -a" delivers:
nscd[1454]: rpc: failed to open /etc/netconfig
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file.
That sounds like you should add /etc/netconfig r, to the nscd profile (/etc/apparmor.d/usr.sbin.nscd) and run rcapparmor reload afterwards. If this isn't enough, switch the profile to complain mode aa-complain /etc/apparmor.d/usr.sbin.nscd That will allow everything and log what would be denied. Then [1] use aa-logprof to update the profile, send me the needed additions (as patch or SR) and finally put the profile to enforce mode again: aa-enforce /etc/apparmor.d/usr.sbin.nscd BTW: Since you are the maintainer of libtirpc-netconfig - do you know if /etc/netconfig will only be needed by nscd, or if it makes more sense to allow it in abstractions/nameservice? Regards, Christian Boltz [1] You can of course also use aa-logprof while the profile is in enforce mode - but that might mean that you find out about one denial after the other, instead of everything at once. -- Looks like if the bios tried to boot the mouse... stupid cat :-)) [jdd in opensuse-testing] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
BTW: Since you are the maintainer of libtirpc-netconfig - do you know if /etc/netconfig will only be needed by nscd, or if it makes more sense to allow it in abstractions/nameservice?
Whom do you mean with "you"? You send the mail to a mailing list, and the mailing list is clearly not the maintainer: Defined in package: Base:System/libtirpc bugowner of libtirpc-netconfig : tsaupe maintainer of libtirpc-netconfig : dirkmueller, elvigia But to answer your question: every package linked against libtirpc or loading a shared library or plugin linked against libtirpc needs to be able to read /etc/netconfig. So, if somebody enables NIS on his system, every application could end in the situation to need access to that file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 15:39:23 CEST schrieb Thorsten Kukuk:
On Tue, Oct 17, Christian Boltz wrote:
BTW: Since you are the maintainer of libtirpc-netconfig - do you know if /etc/netconfig will only be needed by nscd, or if it makes more sense to allow it in abstractions/nameservice?
Whom do you mean with "you"? You send the mail to a mailing list, and the mailing list is clearly not the maintainer:
I answered _your_ mail, so... ;-)
Defined in package: Base:System/libtirpc bugowner of libtirpc-netconfig : tsaupe
maintainer of libtirpc-netconfig : dirkmueller, elvigia
Yeah, but the RPM changelog looks like you do most of the work in this package. So even if you aren't official maintainer, I'd say in practise you are ;-) But thanks for the nitpicking - it's a nice reminder to be more exact and to use osc maintainer before I call someone "maintainer" ;-)
But to answer your question: every package linked against libtirpc or loading a shared library or plugin linked against libtirpc needs to be able to read /etc/netconfig. So, if somebody enables NIS on his system, every application could end in the situation to need access to that file.
Sounds like it should go into abstractions/nameservice, and rpm -e --test libtirpc3 also confirms this - libtirpc3 is needed by nfs-client, rpcbind, xinetd, pam and some more packages. Can someone who sees this problem please check if adding /etc/netconfig r, to /etc/apparmor.d/abstractions/nameservice, followed by rcapparmor reload solves the problem? If it isn't enough, please follow the steps in my previous mail and tell me what else is needed. If in doubt, open a bugreport with /var/log/audit/audit.log attached. Regards, Christian Boltz --
Because we had feature freeze in January ;) Which is why there were no new features added to YaST since January. Hey, we only did the usual bugfixing ;) That's a bug, not a feature. :-D [> Christoph Thiel and houghi in opensuse]
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
Can someone who sees this problem please check if adding /etc/netconfig r, to /etc/apparmor.d/abstractions/nameservice, followed by rcapparmor reload solves the problem?
Yes, it solves the problem. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 23:13:38 CEST schrieb Thorsten Kukuk:
On Tue, Oct 17, Christian Boltz wrote:
Can someone who sees this problem please check if adding
/etc/netconfig r,
to /etc/apparmor.d/abstractions/nameservice, followed by
rcapparmor reload
solves the problem?
Yes, it solves the problem.
Thanks for the feedback! I just submitted SR 534597 Regards, Christian Boltz -- I am supposed to be the info provider, so here is my answer: 42 By the way: What is the question? [Johannes Meixner in https://bugzilla.novell.com/show_bug.cgi?id=190173] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Gesendet: Dienstag, 17. Oktober 2017 um 23:13 Uhr; Von: "Thorsten Kukuk" ay
On Tue, Oct 17, Christian Boltz wrote:
Can someone who sees this problem please check if adding /etc/netconfig r, to /etc/apparmor.d/abstractions/nameservice, followed by rcapparmor reload solves the problem?
Yes, it solves the problem.
At my PC to. Ub22 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thorsten Kukuk wrote:
On Wed, Oct 11, ub22@gmx.net wrote:
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
"journalctl -a" delivers:
nscd[1454]: rpc: failed to open /etc/netconfig
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file.
I thought we have a NIS test in openQA that is meant to prevent this kind of breakage? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10/17/2017 02:57 PM, Ludwig Nussel wrote:
Thorsten Kukuk wrote:
On Wed, Oct 11, ub22@gmx.net wrote:
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
"journalctl -a" delivers:
nscd[1454]: rpc: failed to open /etc/netconfig
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file.
I thought we have a NIS test in openQA that is meant to prevent this kind of breakage?
What would be the name of that test? I'm not aware of any. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Stephan Kulow wrote:
On 10/17/2017 02:57 PM, Ludwig Nussel wrote:
Thorsten Kukuk wrote:
On Wed, Oct 11, ub22@gmx.net wrote:
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
"journalctl -a" delivers:
nscd[1454]: rpc: failed to open /etc/netconfig
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file.
I thought we have a NIS test in openQA that is meant to prevent this kind of breakage?
What would be the name of that test? I'm not aware of any.
Ah, there's https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests... but looks like it's neither enabled for TW nor does it seem test the right thing. There's a ticket open since while. Maybe time to revisit it given the number of people affected. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Christian Boltz -
Ludwig Nussel -
Stephan Kulow -
Thorsten Kukuk -
ub22@gmx.net