NIS/YP Login trouble after update yesterday

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

NIS/YP Login trouble after update yesterday

ub22
After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.

"journalctl -a" delivers:

nscd[1454]: rpc: failed to open /etc/netconfig
...
login[3865]: pam_systemd(login:session): Failed to release session: Interrupted system call

So I removed nscd via "zypper rm nscd" and afterwords installed him again via "zypper in nscd".

A short test on two deviating devices delivers that the login now runs like expected.


Is there any error in the update script or configs?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Thorsten Kukuk
On Wed, Oct 11, [hidden email] wrote:

> After the update of Tumbleweed yesterday, today the Login on my PC (with NFS mounted /home and User sharing via NIS/YP from my unchanged Tumbleweed Server), don't work anymore. After check of all Server Services and a login on a not updated client, which was working. I compared all infos and verified the LOGs.
>
> "journalctl -a" delivers:
>
> nscd[1454]: rpc: failed to open /etc/netconfig

Richard Brown had the right idea: it's apparmor, who does not allow
nscd to read that config file.

  Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Christian Boltz-5
Hello,

Am Dienstag, 17. Oktober 2017, 10:49:40 CEST schrieb Thorsten Kukuk:

> On Wed, Oct 11, [hidden email] wrote:
> > After the update of Tumbleweed yesterday, today the Login on my PC
> > (with NFS mounted /home and User sharing via NIS/YP from my
> > unchanged Tumbleweed Server), don't work anymore. After check of
> > all Server Services and a login on a not updated client, which was
> > working. I compared all infos and verified the LOGs.
> >
> > "journalctl -a" delivers:
> >
> > nscd[1454]: rpc: failed to open /etc/netconfig
>
> Richard Brown had the right idea: it's apparmor, who does not allow
> nscd to read that config file.

That sounds like you should add
    /etc/netconfig r,
to the nscd profile (/etc/apparmor.d/usr.sbin.nscd) and run
    rcapparmor reload
afterwards.

If this isn't enough, switch the profile to complain mode
    aa-complain /etc/apparmor.d/usr.sbin.nscd
That will allow everything and log what would be denied.

Then [1] use
    aa-logprof
to update the profile, send me the needed additions (as patch or SR) and
finally put the profile to enforce mode again:
    aa-enforce /etc/apparmor.d/usr.sbin.nscd

BTW: Since you are the maintainer of libtirpc-netconfig - do you know if
/etc/netconfig will only be needed by nscd, or if it makes more sense to
allow it in abstractions/nameservice?


Regards,

Christian Boltz

[1] You can of course also use aa-logprof while the profile is in enforce
    mode - but that might mean that you find out about one denial after
    the other, instead of everything at once.

--
Looks like if the bios tried to boot the mouse... stupid cat :-))
[jdd in opensuse-testing]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Ludwig Nussel
In reply to this post by Thorsten Kukuk
Thorsten Kukuk wrote:

> On Wed, Oct 11, [hidden email] wrote:
>
>> After the update of Tumbleweed yesterday, today the Login on my PC
>> (with NFS mounted /home and User sharing via NIS/YP from my unchanged
>> Tumbleweed Server), don't work anymore. After check of all Server
>> Services and a login on a not updated client, which was working. I
>> compared all infos and verified the LOGs.
>>
>> "journalctl -a" delivers:
>>
>> nscd[1454]: rpc: failed to open /etc/netconfig
>
> Richard Brown had the right idea: it's apparmor, who does not allow
> nscd to read that config file.

I thought we have a NIS test in openQA that is meant to prevent this
kind of breakage?

cu
Ludwig

--
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Stephan Kulow-3
On 10/17/2017 02:57 PM, Ludwig Nussel wrote:

> Thorsten Kukuk wrote:
>> On Wed, Oct 11, [hidden email] wrote:
>>
>>> After the update of Tumbleweed yesterday, today the Login on my PC
>>> (with NFS mounted /home and User sharing via NIS/YP from my unchanged
>>> Tumbleweed Server), don't work anymore. After check of all Server
>>> Services and a login on a not updated client, which was working. I
>>> compared all infos and verified the LOGs.
>>>
>>> "journalctl -a" delivers:
>>>
>>> nscd[1454]: rpc: failed to open /etc/netconfig
>>
>> Richard Brown had the right idea: it's apparmor, who does not allow
>> nscd to read that config file.
>
> I thought we have a NIS test in openQA that is meant to prevent this
> kind of breakage?

What would be the name of that test? I'm not aware of any.

Greetings, Stephan

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Ludwig Nussel
Stephan Kulow wrote:

> On 10/17/2017 02:57 PM, Ludwig Nussel wrote:
>> Thorsten Kukuk wrote:
>>> On Wed, Oct 11, [hidden email] wrote:
>>>
>>>> After the update of Tumbleweed yesterday, today the Login on my PC
>>>> (with NFS mounted /home and User sharing via NIS/YP from my unchanged
>>>> Tumbleweed Server), don't work anymore. After check of all Server
>>>> Services and a login on a not updated client, which was working. I
>>>> compared all infos and verified the LOGs.
>>>>
>>>> "journalctl -a" delivers:
>>>>
>>>> nscd[1454]: rpc: failed to open /etc/netconfig
>>>
>>> Richard Brown had the right idea: it's apparmor, who does not allow
>>> nscd to read that config file.
>>
>> I thought we have a NIS test in openQA that is meant to prevent this
>> kind of breakage?
>
> What would be the name of that test? I'm not aware of any.

Ah, there's
https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/console/yast2_nis.pm

but looks like it's neither enabled for TW nor does it seem test the
right thing. There's a ticket open since while. Maybe time to
revisit it given the number of people affected.

cu
Ludwig

--
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard,
Graham Norton, HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Thorsten Kukuk
In reply to this post by Christian Boltz-5
On Tue, Oct 17, Christian Boltz wrote:

> BTW: Since you are the maintainer of libtirpc-netconfig - do you know if
> /etc/netconfig will only be needed by nscd, or if it makes more sense to
> allow it in abstractions/nameservice?

Whom do you mean with "you"? You send the mail to a mailing list, and
the mailing list is clearly not the maintainer:

Defined in package: Base:System/libtirpc
  bugowner of libtirpc-netconfig :
   tsaupe

  maintainer of libtirpc-netconfig :
   dirkmueller, elvigia


But to answer your question: every package linked against libtirpc
or loading a shared library or plugin linked against libtirpc needs
to be able to read /etc/netconfig.
So, if somebody enables NIS on his system, every application could
end in the situation to need access to that file.

  Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Christian Boltz-5
Hello,

Am Dienstag, 17. Oktober 2017, 15:39:23 CEST schrieb Thorsten Kukuk:
> On Tue, Oct 17, Christian Boltz wrote:
> > BTW: Since you are the maintainer of libtirpc-netconfig - do you
> > know if /etc/netconfig will only be needed by nscd, or if it makes
> > more sense to allow it in abstractions/nameservice?
>
> Whom do you mean with "you"? You send the mail to a mailing list, and
> the mailing list is clearly not the maintainer:

I answered _your_ mail, so... ;-)

> Defined in package: Base:System/libtirpc
>   bugowner of libtirpc-netconfig :
>    tsaupe
>
>   maintainer of libtirpc-netconfig :
>    dirkmueller, elvigia

Yeah, but the RPM changelog looks like you do most of the work in this
package. So even if you aren't official maintainer, I'd say in practise
you are ;-)

But thanks for the nitpicking - it's a nice reminder to be more exact
and to use osc maintainer before I call someone "maintainer" ;-)

> But to answer your question: every package linked against libtirpc
> or loading a shared library or plugin linked against libtirpc needs
> to be able to read /etc/netconfig.
> So, if somebody enables NIS on his system, every application could
> end in the situation to need access to that file.

Sounds like it should go into abstractions/nameservice, and
    rpm -e --test libtirpc3
also confirms this - libtirpc3 is needed by nfs-client, rpcbind, xinetd,
pam and some more packages.

Can someone who sees this problem please check if adding
    /etc/netconfig r,
to /etc/apparmor.d/abstractions/nameservice, followed by
    rcapparmor reload
solves the problem?
If it isn't enough, please follow the steps in my previous mail and tell
me what else is needed. If in doubt, open a bugreport with
/var/log/audit/audit.log attached.


Regards,

Christian Boltz
--
> > > Because we had feature freeze in January ;)
> > Which is why there were no new features added to YaST since January.
> Hey, we only did the usual bugfixing ;)
That's a bug, not a feature. :-D
[> Christoph Thiel and houghi in opensuse]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Thorsten Kukuk
On Tue, Oct 17, Christian Boltz wrote:

> Can someone who sees this problem please check if adding
>     /etc/netconfig r,
> to /etc/apparmor.d/abstractions/nameservice, followed by
>     rcapparmor reload
> solves the problem?

Yes, it solves the problem.

  Thorsten

--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & CaaSP
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: NIS/YP Login trouble after update yesterday

Christian Boltz-5
Hello,

Am Dienstag, 17. Oktober 2017, 23:13:38 CEST schrieb Thorsten Kukuk:

> On Tue, Oct 17, Christian Boltz wrote:
> > Can someone who sees this problem please check if adding
> >
> >     /etc/netconfig r,
> >
> > to /etc/apparmor.d/abstractions/nameservice, followed by
> >
> >     rcapparmor reload
> >
> > solves the problem?
>
> Yes, it solves the problem.

Thanks for the feedback!

I just submitted SR 534597


Regards,

Christian Boltz
--
I am supposed to be the info provider, so here is my answer:
42
By the way:
What is the question?
[Johannes Meixner in https://bugzilla.novell.com/show_bug.cgi?id=190173]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Aw: Re: [opensuse-factory] NIS/YP Login trouble after update yesterday

ub22
In reply to this post by Thorsten Kukuk

> Gesendet: Dienstag, 17. Oktober 2017 um 23:13 Uhr; Von: "Thorsten Kukuk" ay
>
> On Tue, Oct 17, Christian Boltz wrote:
>
> > Can someone who sees this problem please check if adding
> >     /etc/netconfig r,
> > to /etc/apparmor.d/abstractions/nameservice, followed by
> >     rcapparmor reload
> > solves the problem?
>
> Yes, it solves the problem.

At my PC to.

Ub22
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]