Bugzilla – Bug 803471
network not always ready when desktop logon apears for network based authentication
Last modified: 2015-10-07 13:31:14 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 it might be an idea when switching to network based logons (winbind/samba/ldap/nis/whatever) to add the network.service requirement to the systemd runlevel5.target ie change the wants line in /usr/lib/systemd/system/runlevel5.target to Wants=xdm.service network.service Because the network is not always ready by the time the login appears when using hotplug ethernet devices (thunderbolt/usb) , wireless devices and sometimes wired devices. Since a network based authentication is a bit difficult when there is no network available. workaround : grab a cup of coffee/thea/milk and drink it slowly before logging in to give the system time to establish the network connection Regards Rob Reproducible: Always Steps to Reproduce: 1. use a hotplug network device 2. configure network based logon (ie samba/winbind/ldap/nis) 3. reboot and try to logon as soon as the logon appears 4. see message about network unavailable or using cached credentials etc Actual Results: message stating that the domain is unavailable and that cached credentials will be used Expected Results: network based authentication
There is already a target for that, called nss-user-lookup.target It is up to services like winbind, samba, ldap, nis, whatever to be fixed to be a dependency on it and enable it. Once it is done, systemd-logind.service will automatically pulls it. So, not a systemd bug. Please reassign to whoever maitains those packages (or duplicate this bug for each package).
Frederic, what exactly should get fixed here: $ less /usr/lib/systemd/system/ypbind.service [Unit] Description=NIS/YP (Network Information Service) Clients to NIS Domain Binder Requires=rpcbind.service After=network.target rpcbind.service ypserv.service Before=systemd-user-sessions.service [Service] Type=simple EnvironmentFile=-/etc/sysconfig/ypbind # Do not call ypbind-systemd-pre from ExecStartPre to keep the # keep OTHER_YPBIND_OPTS options which have to be passed as options # suggested by fcrozat@suse.com ExecStart=/bin/sh -c "/usr/share/ypbind/ypbind-systemd-pre; exec /usr/sbin/ypbind -n $OTHER_YPBIND_OPTS" ExecStartPost=/usr/share/ypbind/ypbind-systemd-post ExecStopPost=/bin/sh -c "/bin/rm -f /var/yp/binding/* /var/run/ypbind.pid" [Install] WantedBy=multi-user.target
I tested it on a system with AD domain logins. So when using winbind to authenticate against a domain the network is not always ready when the login screen appears. I obvisously incorrectly asumed this was the case for all network related authentication. Rob
ok, I misread the original bug report. I think when "hotplug" network is configured with network auth, the check enforcing network being present should be enabled. Currently, it is only when using ifup/sysconfig but not when using NetworkManager (/etc/sysconfig/network/config NM_ONLINE_TIMEOUT should be set to non 0 value). This should probably be done by YaST when configuring network auth. I'm discussing with upstream regarding nss-user-lookup.target if it should be pulled by some specific "user lookup" services (like winbind, ypbind, ..) when installed or if it should be the job of YaST, when configuring auth for such services.
I'm using ifup and NIS and also had the problem that after bootup, NIS/autofs was not ready. This looked like some timing issue. Frederic, I'll assign this to you for now. Remember that YaST will not help with updates. My system runs ypbind and when updating via e.g. zypper dup, YaST will not touch the setup at all.
this(In reply to comment #6) > I'm using ifup and NIS and also had the problem that after bootup, NIS/autofs > was not ready. This looked like some timing issue. This looks similar to bnc#806725 (but reporter was initially having NM running instead of NM). Please attach dmesg after booting with systemd.log_level=debug systemd.log_target=kmsg
(In reply to comment #5) > I'm discussing with upstream regarding nss-user-lookup.target if it should be > pulled by some specific "user lookup" services (like winbind, ypbind, ..) when > installed or if it should be the job of YaST, when configuring auth for such > services. so, upstream is in agreement with me. The fix for this should be to add to "network user service" (ypbind.service / winbind / openldap / ...) the following lines in the [Unit] serction: Wants=nss-user-lookup.target Before=nss-user-lookup.target This way, nss-user-lookup.target will be correctly used as a sync point, preventing user login until network user service is available.
(In reply to Frederic Crozat from comment #8) > so, upstream is in agreement with me. The fix for this should be to add to > "network user service" (ypbind.service / winbind / openldap / ...) the > following lines in the [Unit] serction: > > Wants=nss-user-lookup.target > Before=nss-user-lookup.target > > This way, nss-user-lookup.target will be correctly used as a sync point, > preventing user login until network user service is available. Checked on openSUSE 13.2: -->-- grep -r nss-user-lookup.target /usr/lib/systemd/system /usr/lib/systemd/system/ypbind.service:Wants=nss-user-lookup.target /usr/lib/systemd/system/ypbind.service:Before=systemd-user-sessions.service nss-user-lookup.target /usr/lib/systemd/system/autofs.service:After=network.target remote-fs.target nss-lookup.target nss-user-lookup.target /usr/lib/systemd/system/systemd-logind.service:After=nss-user-lookup.target user.slice /usr/lib/systemd/system/nscd.service:Wants=nss-lookup.target nss-user-lookup.target /usr/lib/systemd/system/nscd.service:Before=nss-lookup.target nss-user-lookup.target /usr/lib/systemd/system/cron.service:After=nss-user-lookup.target network.target time-sync.target --<-- So, this has been implemented. Closing the bug as fixed in current version.