[Bug 3528] New: ls hangs when using ldap groups

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jan 28 00:17:54 AEDT 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=3528

            Bug ID: 3528
           Summary: ls hangs when using ldap groups
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kasper_steengaard at hotmail.com

On Ubuntu 20.04.4 LTS
Configured the sftp server with chrootDirectory like so:

/etc/ssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp -l DEBUG
GSSAPIAuthentication yes

Match Group MyGroup
  ChrootDirectory /mychroot
  ForceCommand internal-sftp
  X11Forwarding no
  AllowTcpForwarding no


My /etc/nsswitch contains 
group:   files systemd sss ldap

Users accessing the sftp is authenticated agains an AD, but the access
groups comes from another LDAP server.


When I login to the sftp server and execute a ls command it takes way
too long. 

I did a strace on the sftp process, in which I can see it tries to
access the following files.

openat(AT_FDCWD, "/run/systemd/userdb/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or
directory)
stat("/etc/ldap.conf", 0x7ffea7282230)  = -1 ENOENT (No such file or
directory)
stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110)
= -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)


I figured out that if an empty ldap.conf is placed in /mychroot/etc/
the ls command responds fast, and the access control (based on the LDAP
groups) is still working (I made sure to do a sss_cache -E to clear
cache between tests)

The ldap server is defined in /etc/ldap.conf with a fqdn that is
resolved by the DNS server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list