Package: libnss-pgsql2
Version: 1.4.0debian-2
Severity: normal
I'm trying to set up libnss-pgsql2 as per the example configuration, but
the library hangs while waiting for a mutex after the authentication is done.
I've added one user, "foo", and the following happens when trying to su to
that user:
=== 8< ===
b...@rabarber% su - foo
~
LOG: duration: 15.001 ms
LOG: duration: 3.566 ms
LOG: execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid,
gid FROM passwd_table WHERE username = $1
DETAIL: parameters: $1 = 'foo'
LOG: duration: 1.997 ms
Password:
LOG: duration: 14.956 ms
LOG: duration: 3.639 ms
LOG: execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid,
gid FROM passwd_table WHERE username = $1
DETAIL: parameters: $1 = 'foo'
LOG: duration: 1.304 ms
LOG: duration: 17.226 ms
LOG: duration: 5.118 ms
LOG: execute <unnamed>: SELECT * FROM shadow_table WHERE username = $1
DETAIL: parameters: $1 = 'foo'
LOG: duration: 1.339 ms
LOG: duration: 20.307 ms
LOG: duration: 3.581 ms
LOG: execute <unnamed>: SELECT username, passwd, gecos, homedir, shell, uid,
gid FROM passwd_table WHERE username = $1
DETAIL: parameters: $1 = 'foo'
LOG: duration: 1.212 ms
LOG: duration: 13.044 ms
LOG: duration: 5.120 ms
LOG: execute <unnamed>: SELECT * FROM shadow_table WHERE username = $1
DETAIL: parameters: $1 = 'foo'
LOG: duration: 1.355 ms
LOG: duration: 15.603 ms
LOG: duration: 6.739 ms
LOG: execute <unnamed>: SELECT usergroups.gid FROM passwd_table JOIN
usergroups USING (uid) where username = $1 and usergroups.gid <> $2
DETAIL: parameters: $1 = 'foo', $2 = '2001'
LOG: duration: 1.399 ms
=== >8 ===
I've configured PostgreSQL to display all queries, hence the debug
output. After this output, the process hangs. This is after the
authentication is complete, which can be seen here:
=== 8< ===
r...@rabarber# ps ax|grep su
584 ? S< 0:00 [ksuspend_usbd]
1343 pts/14 S+ 0:00 su - foo
1350 pts/14 S+ 0:00 -su
r...@rabarber# ls -l /proc/1350/exe
lrwxrwxrwx 1 foo foo 0 2009-11-17 16:10 /proc/1350/exe -> /bin/bash
=== >8 ===
The hanging process is already the shell of the new user. Making a
backtrace of this process yields the following information:
=== 8< ===
r...@rabarber# gdb -p 1350 ~
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 1350
Reading symbols from /bin/bash...(no debugging symbols found)...done.
[--- snip reading debugging symbols ---]
0xb7fc0424 in __kernel_vsyscall ()
(gdb) bt full
#0 0xb7fc0424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7c9fc99 in __lll_lock_wait () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb7c9b0c4 in _L_lock_89 () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#3 0xb7c9a9f2 in pthread_mutex_lock () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#4 0xb7f149c6 in pthread_mutex_lock () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#5 0xb7cad540 in _nss_pgsql_getpwuid_r (uid=2003, result=0xbfbc4160,
buffer=0xbfbc2160 "ntp", buflen=8192, errnop=0xb7e2568c)
at interface.c:103
retval = NSS_STATUS_TRYAGAIN
localerrno = <value optimized out>
#6 0xb7ec0ed2 in getpwuid_r () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#7 0xb7c8ed3e in ?? () from /usr/lib/libpq.so.5
No symbol table info available.
#8 0x000007d3 in ?? ()
No symbol table info available.
[--- snip further backtrace ---]
(gdb)
=== >8 ===
Now, stuff like "getent passwd", "getent shadow" (as root) and "id foo"
works fine, however, it would be nice to be able to actually log in with
new users ;-)
This might somehow be related to bug #488979, but in what way, I'm not
sure.
My configuration files are attached (these are mostly the same as in the
examples). Note that in nss-pgsql.conf, I don't have a password in the
connectionstring, since that user connects using "trust". Any
information wrt how to solve this would be very much appreciated!
Cheers,
Bram Senders
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-pgsql2 depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libpq5 8.3.8-0lenny1 PostgreSQL C client library
libnss-pgsql2 recommends no packages.
Versions of packages libnss-pgsql2 suggests:
ii libpam-pgsql 0.6.3-2 PAM module to authenticate using a
pn nscd <none> (no description available)
-- no debconf information
connectionstring = hostaddr=127.0.0.1 dbname=system user=anonauth
connect_timeout=1
# you can use anything postgres accepts as table expression
# Must return "usernames", 1 column, list
getgroupmembersbygid = SELECT username FROM passwd_table WHERE gid = $1
# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir,
passwd_shell, passwd_uid, passwd_gid
getpwnam = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM
passwd_table WHERE username = $1
# Must return passwd_name, passwd_passwd, passwd_gecos, passwd_dir,
passwd_shell, passwd_uid, passwd_gid
getpwuid = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM
passwd_table WHERE uid = $1
# All users
allusers = SELECT username, passwd, gecos, homedir, shell, uid, gid FROM
passwd_table
# Must return group_name, group_passwd, group_gid
getgrnam = SELECT groupname, passwd, gid, ARRAY(SELECT
passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid =
usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM
group_table WHERE groupname = $1
# Must return group_name, group_passwd, group_gid
getgrgid = SELECT groupname, passwd, gid, ARRAY(SELECT
passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid =
usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM
group_table WHERE gid = $1
# Must return gid. %s MUST appear first for username match in where clause
groups_dyn = SELECT usergroups.gid FROM passwd_table JOIN usergroups USING
(uid) where username = $1 and usergroups.gid <> $2
allgroups = SELECT groupname, passwd, gid, ARRAY(SELECT
passwd_table.username FROM passwd_table, usergroups WHERE passwd_table.uid =
usergroups.uid AND usergroups.gid = group_table.gid) AS members FROM group_table
# example configfile for PostgreSQL NSS module
# this file must be readable for root only
shadowconnectionstring = hostaddr=127.0.0.1 dbname=system user=shadowauth
password=WACHTWOORD connect_timeout=1
#Query in the following format
#shadow_name, shadow_passwd, shadow_lstchg, shadow_min, shadow_max,
shadow_warn, shadow_inact, shadow_expire, shadow_flag
shadowbyname = SELECT * FROM shadow_table WHERE username = $1
shadow = SELECT * FROM shadow_table
-- Default table setup for nss-pgsql
CREATE SEQUENCE group_id MINVALUE 2000 MAXVALUE 2147483647 NO CYCLE;
CREATE SEQUENCE user_id MINVALUE 2000 MAXVALUE 2147483647 NO CYCLE;
CREATE TABLE "group_table" (
"gid" int4 NOT NULL DEFAULT nextval('group_id'),
"groupname" character varying(16) NOT NULL,
"descr" character varying,
"passwd" character varying(20),
PRIMARY KEY ("gid")
);
CREATE TABLE "passwd_table" (
"username" character varying(64) NOT NULL,
"passwd" character varying(128) NOT NULL,
"uid" int4 NOT NULL DEFAULT nextval('user_id'),
"gid" int4 NOT NULL,
"gecos" character varying(128),
"homedir" character varying(256) NOT NULL,
"shell" character varying DEFAULT '/bin/bash' NOT NULL,
PRIMARY KEY ("uid")
);
CREATE TABLE "usergroups" (
"gid" int4 NOT NULL,
"uid" int4 NOT NULL,
PRIMARY KEY ("gid", "uid"),
CONSTRAINT "ug_gid_fkey" FOREIGN KEY ("gid") REFERENCES
"group_table"("gid"),
CONSTRAINT "ug_uid_fkey" FOREIGN KEY ("uid") REFERENCES
"passwd_table"("uid")
);
CREATE TABLE "shadow_table" (
"username" character varying(64) NOT NULL,
"passwd" character varying(128) NOT NULL,
"lastchange" int4 NOT NULL,
"min" int4 NOT NULL,
"max" int4 NOT NULL,
"warn" int4 NOT NULL,
"inact" int4 NOT NULL,
"expire" int4 NOT NULL,
"flag" int4 NOT NULL,
PRIMARY KEY ("username")
);
