After updating anything to use systemd-235 NIS logins either don’t work at all (usually for GUI logins), or take a long time to login (console or ssh, sometimes). The culprit is a line in the systemd-logind.service
:
IPAddressDeny=any
This sandboxes the service and doesn’t allow it to talk to the network. Unfortunately this affects nis lookups done via the glibc NSS API. See the links at https://github.com/systemd/systemd/pull/7343
The quick solution is to turn off the sandboxing, either by commenting out or changing the line in systemd-logind.service, or creating a drop-in snippet that overrides it. This can be done by creating a file /etc/systemd/system/systemd-logind.service.d/IPAddress_clear.conf
with the contents:
[Service] IPAddressDeny=
The file can be called anything you like (.conf
).
Then restart things:
systemctl daemon-reload systemctl restart systemd-logind.service
You can check that the drop-in is being loaded with
systemctl status systemd-logind.service
In the output you should see something like:
Loaded: loaded (/lib/systemd/system/systemd-logind.service; static; vendor preset: enabled) Drop-In: /etc/systemd/system/systemd-logind.service.d └─IPAddress_clear.conf
The other test is to see if NIS logins work correctly, of course…
The slightly slower solution is to use nscd
to cache the lookup requests, and apparently does so in a way that plays nicely with the sandboxing. The much slower solution is to switch to using sssd
or similar and ditch NIS once and for all…
Note – this may also affect systemd-udevd
.