Bug#1107744: libnss-ldapd,debian-edu-config: flaky autopkgtest for debian-edu-config: newly-created group cannot be resolved

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

Hi Simon,

thanks for sending this bug report.

On  Fr 13 Jun 2025 15:44:14 UTC, Simon McVittie wrote:

> Package: libnss-ldapd,debian-edu-config
> Severity: important
> X-Debbugs-Cc: tytso@mit.edu, debian-ci@lists.debian.org
> User: debian-ci@lists.debian.org
> Usertags: flaky
>
> As previously discussed in the thread starting at
> <https://lists.debian.org/debian-powerpc/2025/06/msg00002.html>,
> the autopkgtest for debian-edu-config does not seem to be entirely
> stable, especially on ppc64el. I'm attempting to summarize the thread in
> this bug report:
>
> This test installs debian-edu metapackages, which in particular include
> libnss-ldapd and polkitd. As far as I can see, there is no LDAP
> configuration and no LDAP server provided: the nss(5) configuration
> allows user and group name resolution via LDAP, but in practice it will
> fail to resolve anything, and hopefully it should gracefully fail over
> to looking up users and groups in the passwd(5) and group(5) flat files.

Normally, if nslcd and libnss-ldapd get installed they are inert until  
and admin adjust /etc/nsswitch.conf and adds ldap ad nss provider.

In Debian Edu, we do this via cf3/cf.ldap-client in debian-edu-config  
after all packages have been installed.

> The symptom of the failure is that sometimes, polkitd.postinst will
> successfully invoke systemd-sysusers to create the polkitd user and
> group in passwd(5) and group(5):
>
> > 173s Configurando polkitd (126-2) ...
> > 173s Creating group 'polkitd' with GID 989.
> > 173s Creating user 'polkitd' (User for polkitd) with UID 989 and GID 989.
>
> but then immediately after that, an operation that involves looking up
> the newly-created polkitd group will fail, instead of falling back to
> group(5) as it should:

Is nscd also installed in the testbed? If so, an nscd -i group might  
work around that issue (for debugging things and hunting down the root  
cause of this).

> > 173s chown: invalid group: ‘root:polkitd’
> > 173s dpkg: erro processando pacote polkitd (--configure):
> > 173s  o subprocesso instalado pacote polkitd script  
> > post-installation retornou estado de saída de erro 1
>
> This is not specific to polkitd. Other postinsts also fail to look up a
> newly-created user:
>
> > 193s Configurando udev (257.6-1) ...
> > 193s Creating group 'input' with GID 993.
> > 193s Creating group 'sgx' with GID 992.
> > 193s Creating group 'kvm' with GID 991.
> > 193s Creating group 'render' with GID 990.
> > 193s /usr/lib/tmpfiles.d/static-nodes-permissions.conf:18: Failed  
> > to resolve group 'kvm': No such process
> > 193s /usr/lib/tmpfiles.d/static-nodes-permissions.conf:19: Failed  
> > to resolve group 'kvm': No such process
> > 193s /usr/lib/tmpfiles.d/static-nodes-permissions.conf:20: Failed  
> > to resolve group 'kvm': No such process
> > 194s systemd-udevd.service is a disabled or a static unit, not starting it.

Hmmm, this is very strange. It would be interesting if this error also  
occurs if libnss-ldapd/nscd were not installed.

> The error message "No such process" indicates ESRCH, but that might be
> an error synthesized internally by systemd utility code to represent
> "the lookup failed" rather than specifically referring to a process not
> being found.
>
> For whatever reason, this seems to fail more often on ppc64el:
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61391819/
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61390539/
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61390462/
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61388736/
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61387577/
> https://ci.debian.net/packages/d/debian-edu-config/testing/ppc64el/61164352/

hmmm, this is peculiar...

> However, it has failed on amd64 and arm64 on at least one occasion each:
> https://ci.debian.net/packages/d/debian-edu-config/testing/amd64/60137393/
> https://ci.debian.net/packages/d/debian-edu-config/testing/arm64/61120346/
>
> (search for "root:polkitd" to find the error)

ok.

> I think this could point to a bug in either the libnss-ldapd package, or
> the nslcd service that it depends on, or something about how debian-edu
> configures these packages. I think it's unlikely to be a bug in polkitd
> or systemd-sysusers.

I agree that this is unrelated to polkitd or any of those other  
services. I will check how to intercept a shell session in an  
autopkgtest testbedband try to narrow down the cause of the issue.

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de