Date: Tue, 20 Apr 2021 20:40:21 -0600 From: Ron Wills <ron@digitalcombine.ca> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Debugging nsswitch.conf Message-ID: <YH%2BQldYhFGbR/jiB@digitalcombine.ca> In-Reply-To: <YH3UjJQGl7DDUF20@digitalcombine.ca> References: <YH3UjJQGl7DDUF20@digitalcombine.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--Uy3pHcH2NcMkACsW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 19, 2021 at 01:05:48PM -0600, Ron Wills wrote: > I'm attempting to create something like a BBS with sshd within a jail. > Because of the flexablity of ssh I want the absolute minimum in the > jail and I want sshd to authenicate through PostgreSQL. >=20 > I have both libnss-pgsql and pam-pgsql installed and added to the jail. > When I set nsswitch.conf to: > groups: files > passwd: files >=20 > I can see the users from the master.passwd file and can see pam-pgsql > connect to the database and fail. The failure is because the two aren't > currently in sync. >=20 > When I set nsswitch.conf to: > groups: pgsql > passwd: pgsql I ran ktrace on "getent passwd" and discovered the problem. When pgsql is specified, nss attempts to load the library nss_pgsql.so.1. The package libnss-pgsql installs the library lib_pgsql.so.2.0.0 and links. Renaming the libraries fixed the problem. If I'm not mistaken here I'm seeing two problems. The most obvious being the library file name in the package. The other problem is with the nss system. Should it be looking for a versioned library file. Wouldn't searching for nss_pgsql.so be better form than nss_pgsql.so.1? And possibly the man page for nsswitch.conf should include some kind of blurb for loadable modules. I haven't been able to find any other documentation on the nss system than there. I'm new to FreeBSD and I'm not quite sure where I should report this. I'd be happy to help to improve things where I can :) > I get absolutely nothing. Getent returns nothing. I see nothing logged. > I don't see any attempts to connect to the database. NSS just silently > fails. I'm at lose. I'm sure I'm probably just missing something > simple... Here's the nss configuration for the jail at the > moment on FreeBSD 12.2. >=20 > /etc/nsswitch.conf >=20 > #group: files [notfound=3Dcontinue] pgsql > group: pgsql > group_compat: nis > hosts: files dns > networks: files > #passwd: files [notfound=3Dcontinue] pgsql > passwd: pgsql > passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files >=20 > /etc/nss-pgsql.conf >=20 > # It is advised if you run postgresql on the same server as libnss-pgsql = that you have > # ssl connection turned off in your connection string. > # You can hang your machine attempting to connect to the postgresql datab= ase. > # sslmode=3Ddisable > # > # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D279581 > # > # Without a running nscd, PQconnectdb attempts to setup the SSL > # environment and searches for $HOME/.postgresql/server.crt (or similar), > # calling getpwuid to retrieve the home-directory. This obviously causes > # another entrance into libnss-pgsql which results in a hang while waiting > # for the (already owned) lock. > connectionstring =3D host=3D/tmp dbname=3Daccounts user=3Dnss password=3D= x connect_timeout=3D1 sslmode=3Ddisable >=20 > # you can use anything postgres accepts as table expression >=20 > # Must return "usernames", 1 column, list > getgroupmembersbygid =3D SELECT username FROM passwd JOIN passwd_groups u= g USING (uid) WHERE ug.gid =3D $1 > # Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passw= d_shell, passwd_uid, passwd_gid > getpwnam =3D SELECT username, passwd, gecos, homedir, shell, uid, gid FRO= M passwd WHERE username =3D $1 > # Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passw= d_shell, passwd_uid, passwd_gid > getpwuid =3D SELECT username, passwd, gecos, homedir, shell, uid, gid FRO= M passwd WHERE uid =3D $1 > # All users > allusers =3D SELECT username, passwd, gecos, homedir, shell, uid, gid FRO= M passwd > # Must return group_name, group_passwd, group_gid > getgrnam =3D SELECT groupname, passwd, gid, array_to_string(SELECT userna= me FROM passwd_groups WHERE passwd_groups.gid =3D groups.gid),chr(10)) as m= embers FROM groups WHERE groupname =3D $1 > # Must return group_name, group_passwd, group_gid > getgrgid =3D SELECT groupname, passwd, gid, array_to_string(SELECT userna= me from passwd_groups WHERE passwd_groups.gid =3D groups.gid),chr(10)) as m= embers FROM groups WHERE gid =3D $1 > # Must return gid. %s MUST appear first for username match in where clau= se > groups_dyn =3D SELECT ug.gid FROM passwd JOIN passwd_groups ug USING (uid= ) where username =3D $1 and ug.gid <> $2 >=20 > # allgroups can use 2 flavours, > # 1. get the group table and requery getgroupmembersbygid for all group m= embers. > # this produces 1 query per group. > # 2. pass the list of usernames with they query as an aggregate, each use= rname must be split by '\n' or chr(10) > # the new version is usually faster > #allgroups =3D SELECT groupname, passwd, gid FROM group_table > allgroups =3D SELECT groupname, passwd, gid, array_to_string(ARRAY(= SELECT username FROM passwd_groups JOIN passwd USING (uid) WHERE passwd_gro= ups.gid =3D groups.gid),chr(10)) AS members FROM groups >=20 > /etc/nss-pgsql-root.conf >=20 > # example configfile for PostgreSQL NSS module > # this file must be readable for root only >=20 > shadowconnectionstring =3D host=3D/tmp dbname=3Daccounts user=3Dnss passw= ord=3Dx connect_timeout=3D1 sslmode=3Ddisable >=20 > #Query in the following format > #shadow_name, shadow_passwd, shadow_lstchg, shadow_min, shadow_max, shado= w_warn, shadow_inact, shadow_expire, shadow_flag > shadowbyname =3D SELECT * FROM shadow WHERE username =3D $1 > shadow =3D SELECT * FROM shadow --Uy3pHcH2NcMkACsW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWX8XQo7M2P74baiqFcJdzwlfq9IFAmB/kJEACgkQFcJdzwlf q9I7Xg//de6cG/L9tPXQ+gaqndD7xpMJ3V5Qzz4VNpLjkgIVNYWrQvF1ZHYpTCkD xAVMzKh865//ij2wvD9JZb1n3SfyFIlmgiKoF+QU1P6MO7ZJz1fQYDF+N8dEXd9F qUIEbe6C6Doq+kf1zb2LCz1lT8wNLoutLzCUMslJMxjOLtteH5j0a/lGNSFxm8+H DMB/6ES1kFkUh+akDfHMIKqlpSEl6Q+509q4Y3sVTUaU9I97mMOynFZicB9v0Nqz 4EjdxquKS4q0HS4WXWNvmvZLZhKgyTDEBdgDXgLjdCA1qt6WtKGbAHd7iOPcq4V1 Ejj3rHNQeSgk6piHEerVJ2TBVRONNgaJp/7qxh6pXLtKjqBLW3yASbL1SfSeeYAU Lj98XsMuUjg5pLLCqWYwyVi1Spar73H8+vKeysoq2Qbu1RVTz9hU5izX236HQu2f DZf6jU6C1Bhb1Pzg8bCOfpZqY2F3YKf2ACag070E6cIHLI8/AT4yXP7VFLC3JvKH VpSmsbrkrBtO9VWeup+zuFs1vbXLzT3SlVH4XcVOGTDThzAbIMODADyt6Ih7bqdB xOWD58njX7Ek8liTm4yrTFtFfLFzrGVFTx/wQ7j5EqSOirD2tq8A36teL8BMxhoL qgJKPdxp15rPvsubRDWtdDJGF4KFN3h4VPVJPy7Z5nJSdZBsJkg= =S/t8 -----END PGP SIGNATURE----- --Uy3pHcH2NcMkACsW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YH%2BQldYhFGbR/jiB>