[Bug 3528] New: ls hangs when using ldap groups
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Jan 28 00:17:54 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3528
Bug ID: 3528
Summary: ls hangs when using ldap groups
Product: Portable OpenSSH
Version: 8.2p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sftp-server
Assignee: unassigned-bugs at mindrot.org
Reporter: kasper_steengaard at hotmail.com
On Ubuntu 20.04.4 LTS
Configured the sftp server with chrootDirectory like so:
/etc/ssh/sshd_config
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp internal-sftp -l DEBUG
GSSAPIAuthentication yes
Match Group MyGroup
ChrootDirectory /mychroot
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
My /etc/nsswitch contains
group: files systemd sss ldap
Users accessing the sftp is authenticated agains an AD, but the access
groups comes from another LDAP server.
When I login to the sftp server and execute a ls command it takes way
too long.
I did a strace on the sftp process, in which I can see it tries to
access the following files.
openat(AT_FDCWD, "/run/systemd/userdb/",
O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or
directory)
stat("/etc/ldap.conf", 0x7ffea7282230) = -1 ENOENT (No such file or
directory)
stat("/etc/resolv.conf", 0x7ffea7282770) = -1 ENOENT (No such file or
directory)
openat(AT_FDCWD, "/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = -1
ENOENT (No such file or directory)
connect(4, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110)
= -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/hosts", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
openat(AT_FDCWD, "/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
I figured out that if an empty ldap.conf is placed in /mychroot/etc/
the ls command responds fast, and the access control (based on the LDAP
groups) is still working (I made sure to do a sss_cache -E to clear
cache between tests)
The ldap server is defined in /etc/ldap.conf with a fqdn that is
resolved by the DNS server.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list