no "systemd --user" started for NIS user

[whatdoineed2do]

systemd version the issue has been seen with
systemd 245 (v245.4-1.fc32)

Used distribution
Fedora 32

Expected behaviour you didn't see

• NIS user (ypwhich from localhost) login is slow (45sec delay)
• once logged in
  • systemd --user is NOT started
  • XDG_ variables are not set
• systemd-userdbd reports yp_bind_client_create_v3: RPC: Unable to send
• pamd_systemd reports Failed to get user record: Connection timed out
• entries in journalctl

May 05 11:50:19 Unknown-00-0c-29-e0-2b-3f audit[787]: USER_AUTH pid=787 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_unix acct="ray" exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:50:19 Unknown-00-0c-29-e0-2b-3f audit[787]: USER_ACCT pid=787 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="ray" exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:50:19 Unknown-00-0c-29-e0-2b-3f audit[787]: CRED_ACQ pid=787 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_unix acct="ray" exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:50:19 Unknown-00-0c-29-e0-2b-3f systemd-userdbd[832]: yp_bind_client_create_v3: RPC: Unable to send
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f login[787]: pam_systemd(login:session): Failed to get user record: Connection timed out
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f login[787]: pam_unix(login:session): session opened for user ray by LOGIN(uid=0)
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f audit[787]: USER_START pid=787 uid=0 auid=500 ses=6 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_umask,pam_lastlog acct="ray" exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f audit[787]: CRED_REFR pid=787 uid=0 auid=500 ses=6 msg='op=PAM:setcred grantors=pam_unix acct="ray" exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f audit[787]: USER_LOGIN pid=787 uid=0 auid=500 ses=6 msg='op=login id=500 exe="/usr/bin/login" hostname=Unknown-00-0c-29-e0-2b-3f addr=? terminal=tty1 res=success'
May 05 11:51:04 Unknown-00-0c-29-e0-2b-3f login[787]: LOGIN ON tty1 BY ray

Starting nscd does not solve problem.
Local user (not in NIS) does not have same problem.

Unexpected behaviour you saw

• systemd --user not started for NIS user
• slow login for NIS user

Steps to reproduce the problem

• create NIS user, serve from localhost
• authselect select nis --force authselect enable-feature with-pamaccess
• /etc/nsswitch.conf

aliases:    files nis
automount:  files nis
ethers:     files nis
group:      files nis systemd
hosts:      files nis dns myhostname
initgroups: files nis
netgroup:   files nis
networks:   files nis
passwd:     files nis systemd
protocols:  files nis
publickey:  files nis
rpc:        files nis
services:   files nis
shadow:     files nis

gshadow:    files

• login on console with NIS user

[whatdoineed2do]

The userdbd appears to be where this is struggling - strace output for userdbctl user ray (where ray is the NIS user - ypbind is up and running. Notice the 13:48:52.557734 epoll_wait()

13:48:52.551590 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
13:48:52.551819 connect(3, {sa_family=AF_UNIX, sun_path="/run/systemd/userdb/io.systemd.Multiplexer"}, 45) = 0
13:48:52.552054 epoll_create1(EPOLL_CLOEXEC) = 4
13:48:52.552274 timerfd_create(CLOCK_MONOTONIC, TFD_CLOEXEC|TFD_NONBLOCK) = 5
13:48:52.552484 epoll_ctl(4, EPOLL_CTL_ADD, 5, {EPOLLIN, {u32=2920673360, u64=94831503601744}}) = 0
13:48:52.553107 epoll_ctl(4, EPOLL_CTL_ADD, 3, {0, {u32=2920675504, u64=94831503603888}}) = 0
13:48:52.553411 gettid()                = 1515
13:48:52.553613 getrandom("\x43\xf7\x95\x26\xb5\xff\x0e\x86\xe2\x17\x8d\x7f\x67\xe6\xcd\x77", 16, GRND_NONBLOCK) = 16
13:48:52.553842 epoll_ctl(4, EPOLL_CTL_MOD, 3, {EPOLLIN|EPOLLOUT, {u32=2920675504, u64=94831503603888}}) = 0
13:48:52.554068 openat(AT_FDCWD, "/proc/sys/kernel/random/boot_id", O_RDONLY|O_NOCTTY|O_CLOEXEC) = 6
13:48:52.554520 read(6, "c4fffdc7-350a-4d3b-b441-6f573423"..., 38) = 37
13:48:52.554853 read(6, "", 1)          = 0
13:48:52.555059 close(6)                = 0
13:48:52.555266 timerfd_settime(5, TFD_TIMER_ABSTIME, {it_interval={tv_sec=0, tv_nsec=0}, it_value={tv_sec=6227, tv_nsec=722096000}}, NULL) = 0
13:48:52.555480 epoll_wait(4, [{EPOLLOUT, {u32=2920675504, u64=94831503603888}}], 4, 0) = 1
13:48:52.555689 timerfd_create(CLOCK_BOOTTIME, TFD_CLOEXEC|TFD_NONBLOCK) = 6
13:48:52.555926 close(6)                = 0
13:48:52.556166 sendto(3, "{\"method\":\"io.systemd.UserDataba"..., 118, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 118
13:48:52.556435 epoll_ctl(4, EPOLL_CTL_MOD, 3, {EPOLLIN, {u32=2920675504, u64=94831503603888}}) = 0
13:48:52.556700 epoll_wait(4, [], 4, 0) = 0
13:48:52.556916 mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f10e1fd8000
13:48:52.557145 mremap(0x7f10e1fd8000, 135168, 139264, MREMAP_MAYMOVE) = 0x7f10e1fb6000
13:48:52.557432 recvfrom(3, 0x7f10e1fb6010, 135152, MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
13:48:52.557734 epoll_wait(4, [{EPOLLIN, {u32=2920673360, u64=94831503601744}}], 4, -1) = 1
13:49:37.640118 read(5, "\x01\x00\x00\x00\x00\x00\x00\x00", 8) = 8
13:49:37.640472 recvfrom(3, 0x7f10e1fb6010, 135152, MSG_DONTWAIT, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
13:49:37.640902 epoll_ctl(4, EPOLL_CTL_MOD, 3, {0, {u32=2920675504, u64=94831503603888}}) = 0
13:49:37.641192 epoll_wait(4, [], 4, 0) = 0
13:49:37.641540 epoll_ctl(4, EPOLL_CTL_DEL, 3, NULL) = 0
13:49:37.641849 close(3)                = 0
13:49:37.642189 munmap(0x7f10e1fb6000, 139264) = 0
13:49:37.642590 close(4)                = 0
13:49:37.642991 close(5)                = 0
13:49:37.643299 writev(2, [{iov_base="\x1b\x5b\x30\x3b\x31\x3b\x33\x31\x6d", iov_len=9}, {iov_base="Failed to find user ray: Connect"..., iov_len=45}, {iov_base="\x1b\x5b\x30\x6d", iov_len=4}, {iov_base="\n", iov_len=1}], 4Failed to find user ray: Connection timed out
) = 59
13:49:37.644087 exit_group(1)           = ?
13:49:37.645216 +++ exited with 1 +++

Services appear to be running:

# userdbctl services
SERVICE                      LISTENING
io.systemd.DynamicUser       yes      
io.systemd.Home              yes      
io.systemd.Multiplexer       yes      
io.systemd.NameServiceSwitch yes  

systemd-userdbd.service is running but reports:

 systemd-userdbd.service - User Database Manager
     Loaded: loaded (/usr/lib/systemd/system/systemd-userdbd.service; static; vendor preset: disabled)
     Active: active (running) since Tue 2020-05-05 12:06:05 BST; 1h 51min ago
TriggeredBy: ● systemd-userdbd.socket
       Docs: man:systemd-userdbd.service(8)
   Main PID: 795 (systemd-userdbd)
     Status: "Processing requests..."
      Tasks: 4 (limit: 4645)
     Memory: 152.3M
        CPU: 1.515s
     CGroup: /system.slice/systemd-userdbd.service
             ├─ 795 /usr/lib/systemd/systemd-userdbd
             ├─1188 systemd-userwork
             ├─1201 systemd-userwork
             └─1202 systemd-userwork

May 05 12:06:05 Unknown-00-0c-29-e0-2b-3f systemd[1]: Starting User Database Manager...
May 05 12:06:05 Unknown-00-0c-29-e0-2b-3f systemd[1]: Started User Database Manager.
May 05 13:40:40 Unknown-00-0c-29-e0-2b-3f systemd-userdbd[1188]: yp_bind_client_create_v3: RPC: Unable to send
May 05 13:43:09 Unknown-00-0c-29-e0-2b-3f systemd-userdbd[1202]: yp_bind_client_create_v3: RPC: Unable to send
May 05 13:44:49 Unknown-00-0c-29-e0-2b-3f systemd-userdbd[1201]: yp_bind_client_create_v3: RPC: Unable to send

[poettering]

NSS passwd database modules that directly contact the network are so 90's. It's a massive security problem loading a network client into every process.

We lock this down in systemd-userdb.service, i.e. use IPAddressDeny=any and prohibit any network traffic from NSS modules.

If you can't fix NIS to behave better and not expect networking to work from every single process on the system, then consider adding a drop-in to systemd-userdbd.service, that unsets IPAddressDeny=any so that the daemon is wide open again. Consider asking your distro packagers to just package a drop-in like that for systemd-userdbd.service as part of the NIS package, they must be shipping one just like that for systemd-logind.service already, since we block that there too.

The security benefit for locking this down is major, and only really old NSS modules need direct network access, hence I am sure the benefit for the many trumps the incompatibility with NIS on this. Hence I don't think we should change anything in systemd here. Sorry if that means extra work and trouble!

[whatdoineed2do]

Thanks, this helped greatly.

For reference to anyone googling this - after unsetting IPAddressDeny= in /lib/systemd/system/systemd-userdbd.service the login delay is resolved but systemd --user would still not start for the NIS account.

However, as per previous recommendations, starting nscd resolved this.

Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1831141