Xen project Mailing List

Re: [Xen-users] libpam-ldap and HVM domain erros

To: Danila Reznichuk <dreznichuk@xxxxxxxxx>

From: James Dingwall <james-xen@xxxxxxxxxxxxxx>

Date: Tue, 25 Jun 2019 14:30:54 +0000

Delivery-date: Tue, 25 Jun 2019 14:32:12 +0000

List-id: Xen user discussion <xen-users.lists.xenproject.org>

Hi Danila, On Fri, Jun 21, 2019 at 01:20:47PM +0300, Danila Reznichuk wrote: > Hi all, > Yesterday after server reboot i've experienced some strage error while > trying to recreate my HVM domains: > > libxl: error: libxl_dm.c:2339:device_model_spawn_outcome: Domain > 4:(null): spawn failed (rc=-3) > libxl: error: libxl_create.c:1501:domcreate_devmodel_started: Domain > 4:device model did not start: -3 > libxl: error: libxl_domain.c:1003:libxl__destroy_domid: Domain 4:Non- > existant domain > libxl: error: libxl_domain.c:962:domain_destroy_callback: Domain > 4:Unable to destroy guest > libxl: error: libxl_domain.c:889:domain_destroy_cb: Domain > 4:Destruction of domain failed > > debug from xl create was not showing any interesting, and much later I > found some errors in systemd journal: > > xl[3163]: nss_ldap: could not connect to any LDAP server as (null) - > Can't contact LDAP server > xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth- > 01.domain.com: Can't contact LDAP server > xl[3163]: nss_ldap: could not connect to any LDAP server as (null) - > Can't contact LDAP server > xl[3163]: nss_ldap: failed to bind to LDAP server ldap://auth- > 02.domain.com: Can't contact LDAP server > xl[3163]: nss_ldap: could not search LDAP server - Server is > unavailable > > so i disabled ldap as user provider in nsswitch.conf > and voila, HVM domains are up and running. > > Something about setup: > I'm using Xen 4.9 from Ubuntu repos on Ubuntu 18.04 > three days ago I setup ldap authentication on server > Not like it must be LDAP auth on xen server, but it will be > appriciated. > > So why XEN can fail to create domain because of broken nsswitch? > What could I do, to keep ldap auth, and be able to manage HVM domains, > when it fails? > > Thank you, > Regards, > Danila Reznichuk. Are you using options to run the qemu process as a de-privileged user? I encountered some issues previously when having pam/nsswitch with ldap/winbind as the a return code from the getpwnam_r call was not (in my opinion) correctly checked: https://lists.xenproject.org/archives/html/xen-devel/2018-08/msg00160.html Regards, James _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.