Hi Simon, On Fr 13 Jun 2025 18:41:56 CEST, Simon McVittie wrote:
On Fri, 13 Jun 2025 at 16:26:20 +0000, Mike Gabriel wrote:On Fr 13 Jun 2025 15:44:14 UTC, Simon McVittie wrote:This test installs debian-edu metapackages, which in particular include libnss-ldapd and polkitdNormally, if nslcd and libnss-ldapd get installed they are inert until and admin adjust /etc/nsswitch.conf and adds ldap ad nss provider.OK, so it doesn't automatically add itself to the configuration like e.g. libnss-systemd or libnss-mdns do?
Ah, ooh... maybe it does since trixie. I hasn't been doing this until bookworm (at least not when installing libnss-ldapd manually).
Checked this a little more thoroughly. When manually installing libnss-ldapd, it offers nsswitch.conf updating via debconf, no service is pre-selected, so nothing in nsswitch.conf gets changed. Matches with my observation from previous Debian releases.
However, in debian-edu-install src:pkg, we preseed this paramter (see preseed-values/defaults.networked in debian-edu-install):
``` # Settings for libnss-ldapdlibnss-ldapd libnss-ldapd/nsswitch multiselect group, netgroup, networks, passwd, shadow
```
That does make sense - libnss-ldapd is presumably not going to be useful until the sysadmin has had an opportunity to configure an LDAP server. If true, that would seem to point to libnss-ldapd not being the problem,because I think the failure to install polkitd is happening long before any debian-edu-specific setup gets a chance to run.
So, in Debian Edu, it is assumed that LDAP is always available when installing networked clients. The "networked" profile applies to machines that get installed on-site where and when the LDAP-server (TJENER) is already running.
However, I wonder if we should change this. We have the preseed values _and_ we have the cfengine3 postinstall configuration of nsswitch.conf. IMHO, we should stop applying the preseedings during installation (fixing the here-discussed problem) and apply those same preseeding values via cfengine3 post-install.
Is nscd also installed in the testbed?From the log, looks like yes, but only because debian-edu-config installed it. If nscd is automatically used when installed, then that's another possible root cause - I know it has had a chequered history and lots of old bugs remain open.
Normally, nscd and nslcd are not needed on the same host. In fact, nscd masks/delays changes applied to LDAP being available on the client. So, in our customer deployments, we actually remove nscd (or disable it for most services, need to recheck this, irrelevant here).
I don't have interactive access to the testbed. I only reported this because Ted ran into this as a blocker for an e2fsprogs upload, initially suspected a polkitd bug and asked the polkitd uploaders for help; I'm afraid I don't have any more access, knowledge, or ability to reproduce the issue than you do.Hmmm, this is very strange. It would be interesting if this error also occurs if libnss-ldapd/nscd were not installed.You could try uploading a version of debian-edu-config without those packages to experimental, or testing it locally?Unfortunately the error is intermittent, so it'll be hard to know whether you've successfully worked around it or whether you were just lucky.
Ouch. I think I will go for the removal of the libnss-ldapd/nsswitch preseeding in debian-edu-install. This should resolved this issue sustainably.
I will check how to intercept a shell session in an autopkgtest testbedYou might find `autopkgtest --shell-fail` useful.
Thanks, will try... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpqMDmEiM92S.pgp
Description: Digitale PGP-Signatur
