sudo: PAM account management error: User not known to the underlying authentication module on first try of sudo -i

[flokli]

When logging in via OSLogin, I get an error on the first sudo -i invocation:

sudo: PAM account management error: User not known to the underlying authentication module

[flokli@localhost:~]$ sudo -i

[root@localhost:~]# 

This is google-compute-engine-oslogin-20200507.00 on NixOS.

[flokli]

I've also seen nscd segfault, might be related:

[62471.540889] nscd[900]: segfault at 0 ip 00007fca033a2471 sp 00007fca01082188 error 4 in libc-2.30.so[7fca0326e000+144000]
[62471.540898] Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1
[62475.162790] nscd[28337]: segfault at 0 ip 00007ff3efc8c471 sp 00007ff3df1f7188 error 4 in libc-2.30.so[7ff3efb58000+144000]
[62475.162797] Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1

[flokli]

The same crash can also be observed by running nix-build -A nixosTests.google-oslogin from a nixpkgs checkout.

It doesn't crash without oslogin installed, so it seems to be related to the oslogin NSS module.

[onsails]

Steps to reproduce:

gcloud compute images create nixos-repro --source-uri gs://nixos-cloud-images/nixos-image-20.09.3531.3858fbc08e6-x86_64-linux.raw.tar.gz
gcloud compute instances create nixos-repro --zone us-central1-a --image nixos-repro --metadata enable-oslogin=TRUE
gcloud compute instances add-iam-policy-binding nixos-repro --zone us-central1-a --member=user:current@user.com --role=roles/compute.osAdminLogin
gcloud compute os-login ssh-keys add --key-file=$HOME/.ssh/id_ed25519.pub --ttl=30d
export USER=$(gcloud compute os-login describe-profile --format=json | jq '.posixAccounts[0].username' -r)
export IP=$(gcloud compute instances describe nixos-repro --format=json | jq '.networkInterfaces[0].accessConfigs[0].natIP' -r)

ssh $USER@$IP
sudo -i
dmesg

[asymmetric]

@onsails I think the ssh part can be simplified with gcloud compute ssh nixos-repro.

[onsails]

yep

gcloud compute images create nixos-repro --source-uri gs://nixos-cloud-images/nixos-image-20.09.3531.3858fbc08e6-x86_64-linux.raw.tar.gz
gcloud compute instances create nixos-repro --zone us-central1-a --image nixos-repro --metadata enable-oslogin=TRUE
gcloud compute instances add-iam-policy-binding nixos-repro --zone us-central1-a --member=user:current@user.com --role=roles/compute.osAdminLogin
gcloud compute ssh nixos-repro --zone us-central1-a

sudo -i
dmesg

[hopkiw]

We don't support nixOS or support using OS Login with nscd. You can feel free to suggest specific bugfixes, and if they don't impair other users, we'll accept them. We have accepted patches for BSD support in this way in the past. Feel free to use this issue to discuss with other nixOS users, or clone the issue to the NixOS repo.

[glaubitz]

This issue has also been observed on SUSE Linux Enterprise Server.

[flokli]

The segfaults are unrelated, I opened #90.

I wasn't able to reproduce the reported issue with google-guest-oslogin 20220721.00 or 20230202.00.

@glaubitz I'll close this issue, please create a new one with more detail on the SUSE Linux Enterprise Server failure.

[glaubitz]

@glaubitz I'll close this issue, please create a new one with more detail on the SUSE Linux Enterprise Server failure.

There already is one, see: #85.