[opensuse-factory] NIS/YP Login trouble after update yesterday
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs. "journalctl -a" delivers: nscd[1454]: rpc: failed to open /etc/netconfig ... login[3865]: pam_systemd(login:session): Failed to release session: Interrupted system call So I removed nscd via "zypper rm nscd" and afterwords installed him again via "zypper in nscd". A short test on two deviating devices delivers that the login now runs like expected. Is there any error in the update script or configs? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Oct 11, ub22@gmx.net wrote:
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 10:49:40 CEST schrieb Thorsten Kukuk:
That sounds like you should add /etc/netconfig r, to the nscd profile (/etc/apparmor.d/usr.sbin.nscd) and run rcapparmor reload afterwards. If this isn't enough, switch the profile to complain mode aa-complain /etc/apparmor.d/usr.sbin.nscd That will allow everything and log what would be denied. Then [1] use aa-logprof to update the profile, send me the needed additions (as patch or SR) and finally put the profile to enforce mode again: aa-enforce /etc/apparmor.d/usr.sbin.nscd BTW: Since you are the maintainer of libtirpc-netconfig - do you know if /etc/netconfig will only be needed by nscd, or if it makes more sense to allow it in abstractions/nameservice? Regards, Christian Boltz [1] You can of course also use aa-logprof while the profile is in enforce mode - but that might mean that you find out about one denial after the other, instead of everything at once. -- Looks like if the bios tried to boot the mouse... stupid cat :-)) [jdd in opensuse-testing] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
Whom do you mean with "you"? You send the mail to a mailing list, and the mailing list is clearly not the maintainer: Defined in package: Base:System/libtirpc bugowner of libtirpc-netconfig : tsaupe maintainer of libtirpc-netconfig : dirkmueller, elvigia But to answer your question: every package linked against libtirpc or loading a shared library or plugin linked against libtirpc needs to be able to read /etc/netconfig. So, if somebody enables NIS on his system, every application could end in the situation to need access to that file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 15:39:23 CEST schrieb Thorsten Kukuk:
I answered _your_ mail, so... ;-)
Yeah, but the RPM changelog looks like you do most of the work in this package. So even if you aren't official maintainer, I'd say in practise you are ;-) But thanks for the nitpicking - it's a nice reminder to be more exact and to use osc maintainer before I call someone "maintainer" ;-)
Sounds like it should go into abstractions/nameservice, and rpm -e --test libtirpc3 also confirms this - libtirpc3 is needed by nfs-client, rpcbind, xinetd, pam and some more packages. Can someone who sees this problem please check if adding /etc/netconfig r, to /etc/apparmor.d/abstractions/nameservice, followed by rcapparmor reload solves the problem? If it isn't enough, please follow the steps in my previous mail and tell me what else is needed. If in doubt, open a bugreport with /var/log/audit/audit.log attached. Regards, Christian Boltz --
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
Yes, it solves the problem. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 23:13:38 CEST schrieb Thorsten Kukuk:
Thanks for the feedback! I just submitted SR 534597 Regards, Christian Boltz -- I am supposed to be the info provider, so here is my answer: 42 By the way: What is the question? [Johannes Meixner in https://bugzilla.novell.com/show_bug.cgi?id=190173] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thorsten Kukuk wrote:
I thought we have a NIS test in openQA that is meant to prevent this kind of breakage? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Stephan Kulow wrote:
Ah, there's https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests... but looks like it's neither enabled for TW nor does it seem test the right thing. There's a ticket open since while. Maybe time to revisit it given the number of people affected. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Oct 11, ub22@gmx.net wrote:
Richard Brown had the right idea: it's apparmor, who does not allow nscd to read that config file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 10:49:40 CEST schrieb Thorsten Kukuk:
That sounds like you should add /etc/netconfig r, to the nscd profile (/etc/apparmor.d/usr.sbin.nscd) and run rcapparmor reload afterwards. If this isn't enough, switch the profile to complain mode aa-complain /etc/apparmor.d/usr.sbin.nscd That will allow everything and log what would be denied. Then [1] use aa-logprof to update the profile, send me the needed additions (as patch or SR) and finally put the profile to enforce mode again: aa-enforce /etc/apparmor.d/usr.sbin.nscd BTW: Since you are the maintainer of libtirpc-netconfig - do you know if /etc/netconfig will only be needed by nscd, or if it makes more sense to allow it in abstractions/nameservice? Regards, Christian Boltz [1] You can of course also use aa-logprof while the profile is in enforce mode - but that might mean that you find out about one denial after the other, instead of everything at once. -- Looks like if the bios tried to boot the mouse... stupid cat :-)) [jdd in opensuse-testing] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
Whom do you mean with "you"? You send the mail to a mailing list, and the mailing list is clearly not the maintainer: Defined in package: Base:System/libtirpc bugowner of libtirpc-netconfig : tsaupe maintainer of libtirpc-netconfig : dirkmueller, elvigia But to answer your question: every package linked against libtirpc or loading a shared library or plugin linked against libtirpc needs to be able to read /etc/netconfig. So, if somebody enables NIS on his system, every application could end in the situation to need access to that file. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 15:39:23 CEST schrieb Thorsten Kukuk:
I answered _your_ mail, so... ;-)
Yeah, but the RPM changelog looks like you do most of the work in this package. So even if you aren't official maintainer, I'd say in practise you are ;-) But thanks for the nitpicking - it's a nice reminder to be more exact and to use osc maintainer before I call someone "maintainer" ;-)
Sounds like it should go into abstractions/nameservice, and rpm -e --test libtirpc3 also confirms this - libtirpc3 is needed by nfs-client, rpcbind, xinetd, pam and some more packages. Can someone who sees this problem please check if adding /etc/netconfig r, to /etc/apparmor.d/abstractions/nameservice, followed by rcapparmor reload solves the problem? If it isn't enough, please follow the steps in my previous mail and tell me what else is needed. If in doubt, open a bugreport with /var/log/audit/audit.log attached. Regards, Christian Boltz --
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Oct 17, Christian Boltz wrote:
Yes, it solves the problem. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Dienstag, 17. Oktober 2017, 23:13:38 CEST schrieb Thorsten Kukuk:
Thanks for the feedback! I just submitted SR 534597 Regards, Christian Boltz -- I am supposed to be the info provider, so here is my answer: 42 By the way: What is the question? [Johannes Meixner in https://bugzilla.novell.com/show_bug.cgi?id=190173] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Christian Boltz -
Ludwig Nussel -
Stephan Kulow -
Thorsten Kukuk -
ub22@gmx.net