Can't get UID for user xyz

[danielperna84]

I am trying to upgrade my existing 0.9 installation to 0.10. So far it seems to be working fine for my already existing testuser. However, logging in as another user (who has not previously logged in using the 0.9 version) does not work, giving me the following error:

[2025-03-14T10:18:59.131+0100] [INFO ] starting xrdp-sesexec with pid 159546
[2025-03-14T10:18:59.138+0100] [ERROR] Can't get UID for user xyz
[2025-03-14T10:18:59.140+0100] [INFO ] AUTHFAIL: user=xyz ip=10.15.0.3 time=1741943939

The reason this is happening seems to be, that the UID check is done before my custom PAM is started (which is confirmed by this statement). The thing is, it's actually my PAM that is communicating with an LDAP server, does the authentication, and creates the local user on the fly if not present on the system.

What would be the correct approach to handle this problem? Essentially I don't want xrdp-sesexec to perform that kind of logic / checks, as PAM should be doing that.

[matt335672]

An interesting problem @danielperna84

Addressing the problem as stated, you'll need to pick up on the initial call to getuid() to handle this. You could conceivably write a custom nssswitch handler installed in the passwd line in nsswitch.conf, but it's not something I've done myself.

The same check can be done on the command line with getent passwd xyz. This could be used to debug and test any custom handler.

Taking a wider view (and I don't know your exact requirement) i's more usual to use sssd to do this kind of thing, but I imagine this doesn't for your use-case for various reasons.

[danielperna84]

It's an isolated and controlled environment, so that won't be a problem in my case. But your statement from your linked issue as sesman will move to using UIDs to refer to users rather than usernames suggests, that not having the uid present at that time could be a problem. I'll try it anyways and report back. 👍

[danielperna84]

I think skipping the code won't work either. Here uid is being used. And using some random value probably will mess things up. 😕

[matt335672]

I can't offer much advice I'm afraid.

Looking again at doing this an an NSS level, the source for the nss files module are here but they are quite a challenge to read. You'll also need to take locking into account, if you're accessing local files.

I've not spent a lot of time looking around, but a better place to start might be something like this project which is LGPL:-

https://github.com/aperezdc/nss-altfiles

Alternatively, figure out a way of adding the users to LDAP and just use that.

[danielperna84]

FYI: I have created a script, which periodically syncs the users from LDAP with the local passwd. Not ideal, but it's good enough.