[opensuse] using libnss-mysql in nsswitch.conf
I know this is likely a long shot, but never mind - I have a number of systems using libnss-mysql to facilitate users/groups/password being stored in a mysql database. This has worked fine for years, but I am just now setting a new box on Leap15 and now it seems to fail because a connection to the database (over the network) cannot be establisbed at start-up, ie. before the network is active. That makes perfect sense, but it doesn't seem to be established later on either? The other systems are all NFS-root, so the network _is_ active on boot, preventing this issue, but I don't understand why the database connection isn't being retried later? Comparing the config between system1 (leap15 on NFS-root) and system2 (leap15 on local disk), they are identical. -- Per Jessen, Zürich (3.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
I know this is likely a long shot, but never mind - I have a number of systems using libnss-mysql to facilitate users/groups/password being stored in a mysql database. This has worked fine for years, but I am just now setting a new box on Leap15 and now it seems to fail because a connection to the database (over the network) cannot be establisbed at start-up, ie. before the network is active. That makes perfect sense, but it doesn't seem to be established later on either?
with 'getent' I have no problem getting the complete list of users, and with tcpdump I see it connecting to the remote database. Still: # id perjessen48 id: ‘perjessen48’: no such user # su -s /bin/sh perjessen48 su: user perjessen48 does not exist I have clearly missed something or other, but what? -- Per Jessen, Zürich (2.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Per Jessen wrote:
I know this is likely a long shot, but never mind - I have a number of systems using libnss-mysql to facilitate users/groups/password being stored in a mysql database. This has worked fine for years, but I am just now setting a new box on Leap15 and now it seems to fail because a connection to the database (over the network) cannot be establisbed at start-up, ie. before the network is active. That makes perfect sense, but it doesn't seem to be established later on either?
with 'getent' I have no problem getting the complete list of users, and with tcpdump I see it connecting to the remote database.
Still:
# id perjessen48 id: ‘perjessen48’: no such user # su -s /bin/sh perjessen48 su: user perjessen48 does not exist
I have clearly missed something or other, but what?
nscd seems to be getting in the way, very odd: # systemctl start nscd # id perjessen48 id: ‘perjessen48’: no such user # systemctl stop nscd # id perjessen48 uid=2190(perjessen48) gid=2003(srv000001) groups=2003(srv000001) So with nscd it doesn't work, without nscd it works fine. ?? -- Per Jessen, Zürich (2.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
06.01.2019 15:16, Per Jessen пишет:
nscd seems to be getting in the way, very odd:
# systemctl start nscd # id perjessen48 id: ‘perjessen48’: no such user # systemctl stop nscd # id perjessen48 uid=2190(perjessen48) gid=2003(srv000001) groups=2003(srv000001)
So with nscd it doesn't work, without nscd it works fine. ??
Anything in /var/log/nscd.log? Try increasing debug level. Could be apparmor again. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
06.01.2019 15:16, Per Jessen пишет:
nscd seems to be getting in the way, very odd:
# systemctl start nscd # id perjessen48 id: ‘perjessen48’: no such user # systemctl stop nscd # id perjessen48 uid=2190(perjessen48) gid=2003(srv000001) groups=2003(srv000001)
So with nscd it doesn't work, without nscd it works fine. ??
Anything in /var/log/nscd.log? Try increasing debug level. Could be apparmor again.
I'll try the debuglevel - currently there is no /var/log/nscd.log. I also suspect apparmor, but no log there either. -- Per Jessen, Zürich (2.0°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
Andrei Borzenkov wrote:
06.01.2019 15:16, Per Jessen пишет:
nscd seems to be getting in the way, very odd:
# systemctl start nscd # id perjessen48 id: ‘perjessen48’: no such user # systemctl stop nscd # id perjessen48 uid=2190(perjessen48) gid=2003(srv000001) groups=2003(srv000001)
So with nscd it doesn't work, without nscd it works fine. ??
Anything in /var/log/nscd.log? Try increasing debug level. Could be apparmor again.
I'll try the debuglevel - currently there is no /var/log/nscd.log. I also suspect apparmor, but no log there either.
Arrrrgg. Sorry, as expected, it was apparmor - and I was SO sure I'd looked for that too. Thanks for reminding me to look again. nscd did not have read access to the two nss config files: /etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg I have (as on the other systems) amended /etc/apparmor.d/local/usr.sbin.nscd. -- Per Jessen, Zürich (2.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, Am Sonntag, 6. Januar 2019, 16:33:44 CET schrieb Per Jessen:
Per Jessen wrote:
Andrei Borzenkov wrote:
06.01.2019 15:16, Per Jessen пишет:
nscd seems to be getting in the way, very odd:
# systemctl start nscd # id perjessen48 id: ‘perjessen48’: no such user # systemctl stop nscd # id perjessen48 uid=2190(perjessen48) gid=2003(srv000001) groups=2003(srv000001)
So with nscd it doesn't work, without nscd it works fine. ??
Anything in /var/log/nscd.log? Try increasing debug level. Could be apparmor again.
I'll try the debuglevel - currently there is no /var/log/nscd.log. I also suspect apparmor, but no log there either.
Arrrrgg. Sorry, as expected, it was apparmor - and I was SO sure I'd looked for that too. Thanks for reminding me to look again.
nscd did not have read access to the two nss config files:
/etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg
These files don't exist on my Tumbleweed system. Do you know from which package they are coming? (If you had to create them yourself, do you use the path recommended in the documentation etc.?) Bonus question: will these files only be used by nscd, or will they be used by "everything"? (In other words, should they be allowed in the nscd profile or in abstractions/nameservice?)
I have (as on the other systems) amended /etc/apparmor.d/local/usr.sbin.nscd.
Better / additionally open a bugreport to get it fixed upstream. (We also accept merge requests at gitlab.com/apparmor/apparmor ;-) Regards, Christian Boltz -- The mission statement is simply 'world domination', but we don't tell anybody. :-) [Juergen Weigert in opensuse-project] -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Christian Boltz wrote:
Arrrrgg. Sorry, as expected, it was apparmor - and I was SO sure I'd looked for that too. Thanks for reminding me to look again.
nscd did not have read access to the two nss config files:
/etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg
These files don't exist on my Tumbleweed system. Do you know from which package they are coming? (If you had to create them yourself, do you use the path recommended in the documentation etc.?)
Hi Christian they're the config files for libnss-mysql, I wrote them. There is no package for libnss-mysql. I almost certainly did not use the path recommended in the documentation :-) - it's been 7-8 years since I wrote them.
Bonus question: will these files only be used by nscd, or will they be used by "everything"? (In other words, should they be allowed in the nscd profile or in abstractions/nameservice?)
I can only guess - judging by the fact that everything worked without nscd, it is only nscd that has a problem when accessing them. 'getent', for instance, works fine with no apparmor additions. I use this setup on numerous systems, only that one addition.
I have (as on the other systems) amended /etc/apparmor.d/local/usr.sbin.nscd.
Better / additionally open a bugreport to get it fixed upstream.
Nah, it was entirely my own fault. I knew I had forgotten something, but I was so sure I had checked for apparmor problems too. I just needed someone to suggest I check again. -- Per Jessen, Zürich (1.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
07.01.2019 9:34, Per Jessen пишет:
Bonus question: will these files only be used by nscd, or will they be used by "everything"? (In other words, should they be allowed in the nscd profile or in abstractions/nameservice?)
I can only guess - judging by the fact that everything worked without nscd, it is only nscd that has a problem when accessing them. 'getent', for instance, works fine with no apparmor additions. I use this setup on numerous systems, only that one addition.
getent is unconfined. Any program that a) has apparmor profile b) needs to access actual user information beyond static list in /etc/passwd will need this. So I would say it logically should be part of libnss-mysql package (if it exists) as global setting. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/01/2019 16.33, Per Jessen wrote:
Per Jessen wrote:
Andrei Borzenkov wrote:
...
Arrrrgg. Sorry, as expected, it was apparmor - and I was SO sure I'd looked for that too. Thanks for reminding me to look again.
nscd did not have read access to the two nss config files:
/etc/libnss-mysql.cfg /etc/libnss-mysql-root.cfg
I have (as on the other systems) amended /etc/apparmor.d/local/usr.sbin.nscd.
Bugzilla ;-) -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Christian Boltz -
Per Jessen