[systemd-devel] Antw: Re: systemd-tmpfiles-setup.service failed due to LDAP resolving

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Wed May 22 09:52:45 UTC 2019

>>> Lennart Poettering <lennart at poettering.net> schrieb am 22.05.2019 um 10:30
Nachricht <20190522083028.GA30001 at gardel-login>:
> On Mi, 22.05.19 10:02, Ulrich Windl (Ulrich.Windl at rz.uni‑regensburg.de)
>> Hi!
>> Obviously the owner of a temporary directory cannot be an LDAP user:
> system users should really not be located on LDAP:

OK, but it's a challenge to keep the UIDs in sync on multiple hosts for local


>> May 22 09:02:48 v04 systemd‑tmpfiles[1056]: nss‑ldap: do_open:
>> failed:stat=‑1
>> May 22 09:02:48 v04 systemd‑tmpfiles[1056]: nss_ldap: could not search
>> server ‑ Server is unavailable
>> May 22 09:02:48 v04 systemd[1]: systemd‑tmpfiles‑setup.service: Main
>> exited, code=exited, status=1/FAILURE
> Hmm, we actually log about all errors we encounter. Is it possible
> that the nss‑ldap module (which iirc is obsolete and unmaintained
> these days?) does an exit(1) or so?

It seems I had overlooked the message (maybe because "systemd-tmpfiles:
nss-ldap: do_open: do_start_tls failed:stat=-1" continue after the last
systemd-tmpfiles[3051]: [/usr/lib/tmpfiles.d/FCmonitor.conf:1] Unknown group

> Either way, if we receive an error from NSS and don't log about it,
> that'd be a bug, but please confirm with a current systemd version, or
> contact your downstream who will do that and then propagate this to
> us.
> You can also set the "SYSTEMD_LOG_LEVEL=debug" env var to get more
> detailed output. i.e. use "systemctl edit systemd‑tmpfiles.service",
> then type in:
> [Service]
> Environment=SYSTEMD_LOG_LEVEL=debug
> then save and reboot.
>> The basic problem is that LDAP needs network (which isn't up at this
>> But still, it's hard to tell from the logged messages which entry actually
>> caused the problem. From what I see "root" is the only user being used,
>> that user is local in /etc/passwd. /etc/nsswitch.conf has "passwd: 
> compat"...
>> I can create the missing directories later running "systemctl start
>> systemd‑tmpfiles‑setup", but SLES has:
>> /usr/lib/tmpfiles.d/systemd‑nologin.conf:F! /run/nologin 0644 ‑ ‑ ‑ "System
>> booting up. See pam_nologin(8)"
>> Which effectively locks out users when doing so.
> You can invoke the binary from shell prompt:
>    systemd‑tmpfiles ‑‑create ‑‑clean ‑‑remove
> If you don't specify ‑‑boot then lines like the /run/nologin one won't
> be honoured.

OK, my solution was to "rm /run/nologin".

> Lennart
> ‑‑
> Lennart Poettering, Berlin

More information about the systemd-devel mailing list