search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.49k stars 13.67k forks source link

NixOS shell handling is broken for network users #21562

Open outergod opened 7 years ago

outergod commented 7 years ago

Issue description

As NixOS provides a non-standard way of locating its user shells, passwd entries from non-local sources are usually broken unless they were specifically made just for NixOS. This means NixOS installations can't properly participate in a network environment with centrally managed users.

The current workaround is to manually create links in /bin.
I can imagine two possible solutions to this. The simple one is to add a module that manages symlinks in /bin for all active, system-wide shells. The tedious, more "pure" Nix-ish way would be to provide an additional PAM module that re-writes the shell part of a passwd entry before attempting to log in.

I would like to get opinions on this before actually attempting a fix as I've read somewhere else there was the plan to get rid of /bin altogether, even including /bin/sh.

Steps to reproduce

  1. Set up a non-local user source such as LDAP and configure NixOS to use it
  2. Create typical user entries with default shell locations such as /bin/bash or /bin/zsh
  3. Attempt to log in as a network user

Expected result: User logs in and uses shell provided Actual result: Login failure because of invalid shell

Technical details

mmahut commented 5 years ago

Are there any updates to this issue, please?

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.
sylvainf911 commented 2 years ago

You can use ldap.daemon.extraConfig and add a map for loginShell:

ldap.daemon.extraConfig = ''
  map passwd loginShell "/run/current-system/sw/bin/bash"
'';

The directive rewrites the loginShell entry from LDAP to the value specified. It does not handle the fact that users can use different shells but at least they can login.