Date: Mon, 19 Apr 2021 13:05:48 -0600 From: Ron Wills <ron@digitalcombine.ca> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Debugging nsswitch.conf Message-ID: <YH3UjJQGl7DDUF20@digitalcombine.ca>
next in thread | raw e-mail | index | archive | help
--ZLeI/+CGTuviTsBe Content-Type: text/plain; charset=utf-8 Content-Disposition: inline I'm attempting to create something like a BBS with sshd within a jail. Because of the flexablity of ssh I want the absolute minimum in the jail and I want sshd to authenicate through PostgreSQL. I have both libnss-pgsql and pam-pgsql installed and added to the jail. When I set nsswitch.conf to: groups: files passwd: files I can see the users from the master.passwd file and can see pam-pgsql connect to the database and fail. The failure is because the two aren't currently in sync. When I set nsswitch.conf to: groups: pgsql passwd: pgsql I get absolutely nothing. Getent returns nothing. I see nothing logged. I don't see any attempts to connect to the database. NSS just silently fails. I'm at lose. I'm sure I'm probably just missing something simple... Here's the nss configuration for the jail at the moment on FreeBSD 12.2. /etc/nsswitch.conf #group: files [notfound=continue] pgsql group: pgsql group_compat: nis hosts: files dns networks: files #passwd: files [notfound=continue] pgsql passwd: pgsql passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files /etc/nss-pgsql.conf # It is advised if you run postgresql on the same server as libnss-pgsql that you have # ssl connection turned off in your connection string. # You can hang your machine attempting to connect to the postgresql database. # sslmode=disable # # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279581 # # Without a running nscd, PQconnectdb attempts to setup the SSL # environment and searches for $HOME/.postgresql/server.crt (or similar), # calling getpwuid to retrieve the home-directory. This obviously causes # another entrance into libnss-pgsql which results in a hang while waiting # for the (already owned) lock. connectionstring = host=/tmp dbname=accounts user=nss password=x connect_timeout=1 sslmode=disable # you can use anything postgres accepts as table expression # Must return "usernames", 1 column, list getgroupmembersbygid = SELECT username FROM passwd JOIN passwd_groups ug USING (uid) WHERE ug.gid = $1 # Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid getpwnam = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd WHERE username = $1 # Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir, passwd_shell, passwd_uid, passwd_gid getpwuid = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd WHERE uid = $1 # All users allusers = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM passwd # Must return group_name, group_passwd, group_gid getgrnam = SELECT groupname, passwd, gid, array_to_string(SELECT username FROM passwd_groups WHERE passwd_groups.gid = groups.gid),chr(10)) as members FROM groups WHERE groupname = $1 # Must return group_name, group_passwd, group_gid getgrgid = SELECT groupname, passwd, gid, array_to_string(SELECT username from passwd_groups WHERE passwd_groups.gid = groups.gid),chr(10)) as members FROM groups WHERE gid = $1 # Must return gid. %s MUST appear first for username match in where clause groups_dyn = SELECT ug.gid FROM passwd JOIN passwd_groups ug USING (uid) where username = $1 and ug.gid <> $2 # allgroups can use 2 flavours, # 1. get the group table and requery getgroupmembersbygid for all group members. # this produces 1 query per group. # 2. pass the list of usernames with they query as an aggregate, each username must be split by '\n' or chr(10) # the new version is usually faster #allgroups = SELECT groupname, passwd, gid FROM group_table allgroups = SELECT groupname, passwd, gid, array_to_string(ARRAY(SELECT username FROM passwd_groups JOIN passwd USING (uid) WHERE passwd_groups.gid = groups.gid),chr(10)) AS members FROM groups /etc/nss-pgsql-root.conf # example configfile for PostgreSQL NSS module # this file must be readable for root only shadowconnectionstring = host=/tmp dbname=accounts user=nss password=x connect_timeout=1 sslmode=disable #Query in the following format #shadow_name, shadow_passwd, shadow_lstchg, shadow_min, shadow_max, shadow_warn, shadow_inact, shadow_expire, shadow_flag shadowbyname = SELECT * FROM shadow WHERE username = $1 shadow = SELECT * FROM shadow --ZLeI/+CGTuviTsBe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWX8XQo7M2P74baiqFcJdzwlfq9IFAmB91IcACgkQFcJdzwlf q9IX8g/+O3mS8sQQpyLz9VlKspEZQuOqNwmJsBnNn1/3gF4qhWXi1EKgmF7EzTBJ U94gbNxmz2FvCJH3MygARH883yiYmOVN7NHKA7xE0PJO4bg+ZwTmAXSsR46X4i+w fxYdF9x9E+GAcjkg+x1nNEwQFBLWjgYm7qyrjTCmpc2pgsmsN9RaSiu2GsJYcH+M /zJbqdDu++F5a0ZAa6KjRCrkx4cT23pisvQik3uAmK0+C115r3mYcsUYIJyQCom1 EIKMqwOk5AedWiJA+TAzuUxWi5As6ISFbrzDLpSINbVj/f+EY6Tpv62sb63m/zch uQY+I7VuYzHrRoAA+NbO8Ei/X1+GbH51w9MpANlRcWVgEovWPEphE6XIEeCHOnYg s8Q6lnV16ABs0YIqV2ftx1DuOA+m7MNqSPNAKr+O9tTIXrT4a7+yA8XBBW8KEz7c k1bIIT9qIEWCEFxcU1h7hp9x0Jh9hy04nEiZMRc4SckzM4rhF7ESDKgY4tsMD2Ho PnLD5jo5Xr6I3XrFWlW4POu4tbIw6nLT9toonyFoZk+0djGFppb6Eka5jv0pAURp iXr54wTXe1yIumjJ7ZUtyK+wrpM0SNFxulSB6otsenO68CdmftFaGbIf9UDpjRla clVfQZ/uCsftDXyVQmKIuUsVFT7CcQZeCyvgPxeWjGHUwk9mDLg= =UGjM -----END PGP SIGNATURE----- --ZLeI/+CGTuviTsBe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YH3UjJQGl7DDUF20>