systemd-logind.service Failed to Retrieve NIS User Information ​

Context ​

When using NIS-synchronized users with the systemd-pam package installed, systemd fails to create corresponding UID files under /run/systemd/users/ during user login, resulting in gnome-shell errors.

NIS provides centralized network resource management including users, passwords, home directories, and group information across multiple systems.

Related issue: https://gitee.com/src-openeuler/systemd/issues/I9OXNC?from=project-issue

Version Information ​

systemd version: systemd-249-75.oe2203sp1.aarch64 systemd-pam version: systemd-pam-249-75.oe2203sp1.aarch64

Symptom ​

A ylp NIS user (UID 1015) can be identified through the id command but lacks corresponding UID file creation in /run/systemd/users/ after login:

[root@server1 ~]# id ylp
uid=1015(ylp) gid=1015(ylp) groups=1015(ylp)
[root@server1 ~]# ll /run/systemd/users/
total 16
-rw-r--r-- 1 root root 345 May 13 17:23 0
-rw-r--r-- 1 root root 243 May 10 17:40 1002
-rw-r--r-- 1 root root 252 May 13 17:20 1004
-rw-r--r-- 1 root root 274 May 10 18:12 971

Possible Causes ​

1. Network connectivity issues preventing NIS server communication, as shown in error logs:

   txt

   systemd-logind[2989387]: yp_bind_client_create_v3: RPC: Remote system error - Address family not supported by protocol
   server1 sshd[2989498]: pam_systemd(sshd:session): Failed to create session: No such process
   server1 sshd[2989498]: pam_unix(sshd:session): session opened for user ylp(uid=1015) by (uid=0)
   server1 sshd[2989498]: pam_systemd(sshd:session): Failed to create session: Transport endpoint is not connected

2. Compatibility changes in systemd versions based on community discussions:

   • Version 235 added IPAddressDeny=any to services like systemd-logind.service, blocking external IP communication:
     https://github.com/systemd/systemd/pull/6921

   • Version 239 further restricted network protocols (AF_INET/AF_INET6) for systemd-logind.service:
     https://github.com/systemd/systemd/issues/9072

3. Systemd community's official stance on compatibility:

   • Compatibility notice added to NEWS documentation:
     https://github.com/systemd/systemd/pull/7343

   • Maintainers recommend using NSCD/SSSD instead of direct NIS integration for security reasons:
     https://github.com/systemd/systemd/issues/7074#issuecomment-338157851

Solution ​

Option 1 ​

Add NSCD or SSSD services to access local cached data.

Option 2 ​

Manually enable network access for systemd-logind.service.

1. Check configuration files in /usr/lib/systemd/system/systemd-logind.service.d/ on client machines for existing IPAddressAllow and RestrictAddressFamilies parameters. Use these commands to verify:

   bash

   grep -rn "IPAddressAllow"
   grep -rn "RestrictAddressFamilies"

   Scenario 1: If parameters do not exist, create a configuration file systemd-logind-nis.conf (with same permissions as other files in directory) containing:

   ini

   IPAddressAllow=NIS_server_IP_address_to_be_allowed
   RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6

   Scenario 2: If parameters exist, append configurations to existing files:

   ini

   IPAddressAllow=Original_configuration Additional_NIS_server_IP
   RestrictAddressFamilies=Original_configuration AF_UNIX AF_NETLINK AF_INET AF_INET6

   Scenario 3: If a file contains only one of the parameters, append the configuration to the existing parameter in that file, and write the missing parameter to /usr/lib/systemd/system/systemd-logind.service.d/systemd-logind-nis.conf (refer to Scenarios 1 and 2).

2. Restart the service after configuration changes:

   bash

   systemctl daemon-reload
   systemctl restart systemd-logind.service