[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

mysterious (futex)-hangs with pgsql authentication

Dear all,

I am trying to set up pgsql-authentication on an etch machine and
even though I have plenty of experience setting up pgsql and ldap
for PAM/nss, this time I am hopeless and close to throwing the
damned machine out the window.

Configuration details are below. As you can see from the following
command, nss seems to work fine for root as well as compat
("/etc/passwd") users, of which 'nobody' is one:

  master:~# getent passwd | wc -l
  master:~# su -c 'getent passwd' nobody | wc -l
  master:~# getent group | wc -l
  master:~# su -c 'getent group' nobody | wc -l

  master:~# ls -l /home
  drwx------ 2 krafft clusteradmins 4096 2007-05-18 12:48 krafft
  master:~# su -c 'ls -l /home' nobody
  drwx------ 2 krafft clusteradmins 4096 2007-05-18 12:48 krafft

krafft and clusteradmins are defined in pgsql and nowhere in
/etc/passwd or /etc/group.

  master:~# getent passwd krafft
  master:~# getent group clusteradmins

It does not work when I su to 'krafft', which is an account defined
in pgsql. Read on.

So far, so good.

Authentication also seems to work, or at least a session is created:

  master:~# su krafft


  master su[11068]: Successful su for krafft by root
  master su[11068]: + pts/3 root:krafft
  master su[11068]: (pam_unix) session opened for user krafft by (uid=0)

However, it does not yield a shell (which is /bin/zsh) and instead
just hangs forever (strace follows further down).

  su -s /bin/ls krafft

works, so I hacked up /bin/testshell, and it turns out that commands
like ls -l /home and getent passwd do *not* work for the
pgsql-defined user krafft, but they work fine for root and nobody.
This squares with the above su -c not working either for those users.

Thus, I decided to run an getent passwd with strace as user 'krafft'
(see attachment). To make a long story short, the command hangs on

  geteuid32()                             = 30000
  open("/etc/passwd", O_RDONLY)           = 4
  fcntl64(4, F_GETFD)                     = 0
  fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
  _llseek(4, 0, [0], SEEK_CUR)            = 0
  fstat64(4, {st_mode=S_IFREG|0644, st_size=1094, ...}) = 0
  mmap2(NULL, 1094, PROT_READ, MAP_SHARED, 4, 0) = 0xb7f23000
  _llseek(4, 1094, [1094], SEEK_SET)      = 0
  fstat64(4, {st_mode=S_IFREG|0644, st_size=1094, ...}) = 0
  munmap(0xb7f23000, 1094)                = 0
  close(4)                                = 0
  futex(0xb7c57904, FUTEX_WAIT, 2, NULL

Does anyone have any clue as to what's going on? And please don't
tell me this is some sort of chicken-egg problem where user 'krafft'
cannot use the postgres database until the account is known to the
system because then I'll scream and file a grave bug against
libnss-pgsql for being utterly useless.

Here are the configuration details, only showing the relevant and
changed lines:

==> /etc/nsswitch.conf <==
# /etc/nsswitch.conf
passwd:         compat pgsql
group:          compat pgsql
shadow:         compat

==> /etc/nss-pgsql.conf <==
host            =
port            = 5432
database        = users
login           = nss
passwd          = foobar

passwdtable     = accounts
grouptable      = groups
groupmembertable = accounts join usergroups on accounts.uid=usergroups.uid join groups on usergroups.gid=groups.gid

passwd_name     = login
passwd_passwd   = passwd
passwd_uid      = uid
passwd_dir      = homedir
passwd_shell    = shell
passwd_gecos    = gecos
passwd_gid      = gid

group_name      = name
group_passwd    = passwd
group_gid       = gid
group_member    = login

==> /etc/pam.d/common-account <==
account sufficient      pam_unix.so
account required        pam_pgsql.so

==> /etc/pam.d/common-auth <==
auth  sufficient  pam_unix.so
auth  required    pam_pgsql.so use_authtok

==> /etc/pam.d/common-password <==
password   sufficient pam_unix.so
password   required   pam_pgsql.so use_authtok

==> /etc/pam.d/common-session <==
session required  pam_unix.so

==> /etc/pam_pgsql.conf <==
host =
port = 5432
user = pam
password = foobar
database = users
table = passwords
user_column = login
pwd_column = passwd
expired_column = expired
newtok_column = newtok
pw_type = crypt_md5

Please do not send copies of list mail to me; I read the list!
 .''`.   martin f. krafft <madduck@debian.org>
: :'  :  proud Debian developer, author, administrator, and user
`. `'`   http://people.debian.org/~madduck - http://debiansystem.info
  `-  Debian - when you have better things to do than fixing systems
"wenn elephanten tanzen leidet das gras."
                                                 -- die vogelpredigt

Attachment: strace.getent.bz2
Description: Binary data

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: