Debugging nsswitch.conf

Ron Wills ron at digitalcombine.ca
Wed Apr 21 14:35:43 UTC 2021 

On Tue, Apr 20, 2021 at 08:40:21PM -0600, Ron Wills wrote:
> On Mon, Apr 19, 2021 at 01:05:48PM -0600, Ron Wills wrote:
> > I'm attempting to create something like a BBS with sshd within a jail.
> > Because of the flexablity of ssh I want the absolute minimum in the
> > jail and I want sshd to authenicate through PostgreSQL.
> > 
> > I have both libnss-pgsql and pam-pgsql installed and added to the jail.
> > When I set nsswitch.conf to:
> >   groups: files
> >   passwd: files
> > 
> > I can see the users from the master.passwd file and can see pam-pgsql
> > connect to the database and fail. The failure is because the two aren't
> > currently in sync.
> > 
> > When I set nsswitch.conf to:
> >   groups: pgsql
> >   passwd: pgsql
> 
> I ran ktrace on "getent passwd" and discovered the problem. When pgsql
> is specified, nss attempts to load the library nss_pgsql.so.1. The
> package libnss-pgsql installs the library lib_pgsql.so.2.0.0 and links.
> Renaming the libraries fixed the problem.

Incase anyone is interested a cleaner fix is to add the following line
to /etc/libmap.conf:

nss_pgsql.so.1 libnss_pgsql.so.2

This will remap the library loading to the correct library.

> If I'm not mistaken here I'm seeing two problems.
> 
> The most obvious being the library file name in the package.
> 
> The other problem is with the nss system. Should it be looking for a
> versioned library file. Wouldn't searching for nss_pgsql.so be better
> form than nss_pgsql.so.1? And possibly the man page for nsswitch.conf
> should include some kind of blurb for loadable modules. I haven't been
> able to find any other documentation on the nss system than there.
> 
> I'm new to FreeBSD and I'm not quite sure where I should report this.
> I'd be happy to help to improve things where I can :)
> 
> > I get absolutely nothing. Getent returns nothing. I see nothing logged.
> > I don't see any attempts to connect to the database. NSS just silently
> > fails. I'm at lose. I'm sure I'm probably just missing something
> > simple... Here's the nss configuration for the jail at the
> > moment on FreeBSD 12.2.
> > 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20210421/014837b7/attachment.sig>

More information about the freebsd-questions mailing list