Sorry to not reply sooner. On Wed, 2011-09-07 at 16:44 +1000, ganomi wrote: > LDAP/Kerberos logins are working well when I am connected to the > network. nscd was adjusted to allow keep credentials longer.
I don't think you use nscd to cache the credentials, only the account information. That being said nscd doesn't cache all queries. For instance it doesn't cache "get all users" queries. > If I try to login without access to the network I will pass the login > screen, which reports that I am using cached credentials, but the > screen goes black and stays there. I must say I don't have that much experience with a setup like yours (libpam-ccreds and libpam-mklocaluser) but the following log messages are all related to failing hostname lookups. > Sep 7 10:57:01 clientmachine nslcd[1998]: [95f874] > <host="1.debian.pool.ntp.org"> no available LDAP server found: Server is > unavailable > Sep 7 10:57:01 clientmachine nslcd[1998]: [138641] > <host="2.debian.pool.ntp.org"> no available LDAP server found: Server is > unavailable > Sep 7 10:57:01 clientmachine nslcd[1998]: [7ff521] > <host="2.debian.pool.ntp.org"> no available LDAP server found: Server is > unavailable > Sep 7 10:57:01 clientmachine nslcd[1998]: [3dbd3d] > <host="3.debian.pool.ntp.org"> no available LDAP server found: Server is > unavailable > Sep 7 10:57:01 clientmachine nslcd[1998]: [7b8ddc] > <host="3.debian.pool.ntp.org"> no available LDAP server found: Server is > unavailable > Sep 7 10:57:29 clientmachine nslcd[1998]: [eaf087] > <host="ldapserver.30.168.192.in-addr.arpa"> failed to bind to LDAP server > ldap://ldapserver.domain.tld: Can't contact LDAP server: Transport endpoint > is not connected > Sep 7 10:57:29 clientmachine nslcd[1998]: [eaf087] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Can't contact LDAP server > Sep 7 10:57:29 clientmachine nslcd[1998]: [221a70] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Server is unavailable > Sep 7 10:59:29 clientmachine nslcd[1998]: [16dde9] > <host="ldapserver.30.168.192.in-addr.arpa"> failed to bind to LDAP server > ldap://ldapserver.domain.tld: Can't contact LDAP server: Transport endpoint > is not connected > Sep 7 10:59:29 clientmachine nslcd[1998]: [16dde9] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Can't contact LDAP server > Sep 7 10:59:29 clientmachine nslcd[1998]: [06c83e] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Server is unavailable > Sep 7 11:01:29 clientmachine nslcd[1998]: [4fd4a1] > <host="ldapserver.30.168.192.in-addr.arpa"> failed to bind to LDAP server > ldap://ldapserver.domain.tld: Can't contact LDAP server: Transport endpoint > is not connected > Sep 7 11:01:29 clientmachine nslcd[1998]: [4fd4a1] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Can't contact LDAP server > Sep 7 11:01:29 clientmachine nslcd[1998]: [9ac241] > <host="ldapserver.30.168.192.in-addr.arpa"> no available LDAP server found: > Server is unavailable Some of these seem to be hostname lookups for the LDAP server itself (or some broken reverse lookups). If you enable hostname lookups through LDAP it is often a good idea to specify the URI with an IP address instead of a host name. This avoids bootstrapping problems in some cases. The others are NTP servers. Perhaps something is starting NTP when you login (NetworkManager comes to mind)? > Stoping the nslcd daemon fixes the problem > # /etc/init.d/nslcd stop > > Then I can login without access to network with cached LDAP credentials > without > any problem. A workaround could be (depending on your setup) would be to stop nslcd on network down and start it when the network goes up. If you're using /etc/network/interfaces, the post-up and pre-down options should do the trick. Hope this helps. -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
