Your message dated Sat, 31 Aug 2013 14:14:05 +0200
with message-id <1377951245.17597.22.ca...@sorbet.thuis.net>
and subject line Re: Bug#552431: Status of this "libnss/libnss-ldap/sshd: no
login
has caused the Debian Bug report #552431,
regarding libnss/libnss-ldap/sshd: no login possible after some time
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
552431: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552431
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libnss-ldap
Version: 261-2.1
Severity: critical
Hello!
As reported in bug 541188 and on the Debian users mailinglist
(ldap/libnss/ssh: (remote) login stops working after some time,
Thu, 3 Sep 2009 12:02:34 +0200), login stops to work via ssh and
partly locally after some weeks or days: If this case happens, I
- cannot login as root (neither locally, nor remotely)
- cannot login as an ldap user remotely
The error I get from ssh is
r...@ikq3.inf.ethz.ch: ssh_exchange_identification: Connection closed
by remote host
The current "fix":
If I login locally as a ldap-user, I CAN login and after that I can
again login remotely, as root and as ldap user.
As Debian Lenny is installed on almost all of our cluster nodes, this is causing
a lot of trouble, as local login is very expensive for us.
If you have any hint on what could be wrong (i.e. configuration / libs / etc.)
or if you are aware of any bug in libnss* or libpam, please let me know.
The current configuration does *not* contain the debug statements anymore, that
I reported previously:
ikq3:~# grep -v ^# /etc/ldap/ldap.conf | grep -v -e ^bindpw -e ^binddn
uri ldaps://ldaps01.ethz.ch ldaps://ldaps02.ethz.ch ldaps://ldaps03.ethz.ch
host ldaps01.ethz.ch ldaps02.ethz.ch ldaps03.ethz.ch
base ou=systems,ou=inf,ou=auth,o=ethz,c=ch
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_lookup_policy no
nss_base_passwd ou=users,ou=systems,ou=inf,ou=auth,o=ethz,c=ch
nss_base_group ou=Group,ou=inf,ou=auth,o=ethz,c=ch
nss_base_netgroup ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch
ssl yes
tls_checkpeer no
tls_reqcert allow
tls_cacertfile /etc/ldap/ca.pem
ikq3:~#
ikq3:~# grep -v ^# /etc/libnss-ldap.conf | grep -v -e ^bindpw -e ^binddn | grep
-v ^\$
uri ldaps://ldaps01.ethz.ch ldaps://ldaps02.ethz.ch ldaps://ldaps03.ethz.ch
base ou=systems,ou=inf,ou=auth,o=ethz,c=ch
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_lookup_policy no
nss_base_passwd ou=users,ou=systems,ou=inf,ou=auth,o=ethz,c=ch
nss_base_group ou=Group,ou=inf,ou=auth,o=ethz,c=ch
nss_base_netgroup ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch
ssl yes
tls_checkpeer no
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/id.pem
ikq3:~#
ikq3:~# grep -v ^# /etc/nsswitch.conf|grep -v ^\$
passwd: files ldap
group: files ldap
shadow: files
hosts: files dns
networks: files
services: db files
protocols: db files
rpc: db files
ethers: db files
netgroup: files ldap
ikq3:~#
Example log entries, right before and when the problem has begun:
Oct 25 21:12:09 ikq3 ntpd[29666]: Terminating
Oct 25 21:12:10 ikq3 puppetd[4049]: Finished catalog run in 21.47 seconds
Oct 25 21:13:23 ikq3 ntpd[29675]: adjusting local clock by -0.151286s
Oct 25 21:15:01 ikq3 /USR/SBIN/CRON[29685]: (root) CMD ([ -x
/usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" =
"true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; })
Oct 25 21:17:01 ikq3 /USR/SBIN/CRON[29695]: (root) CMD ( cd / && run-parts
--report /etc/cron.hourly)
Oct 25 21:24:51 ikq3 ntpd[29675]: adjusting local clock by -0.146785s
Oct 25 21:25:01 ikq3 CRON[29723]: Authentication failure
Oct 25 21:28:47 ikq3 postfix/pickup[29737]: fatal: file /etc/postfix/main.cf:
parameter default_privs: unknown user name value: nobody
Oct 25 21:28:48 ikq3 postfix/master[14129]: warning: process
/usr/lib/postfix/pickup pid 29737 exit status 1
Oct 25 21:28:48 ikq3 postfix/master[14129]: warning: /usr/lib/postfix/pickup:
bad command startup -- throttling
Oct 25 21:35:01 ikq3 CRON[29769]: Authentication failure
Oct 25 22:12:24 ikq3 puppetd[4049]:
(//Node[ikq3]/ethz_systems::generic/ethz/File[/etc/ethz]) Failed to retrieve
current state of resource: Could not find user root
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_CH.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldap depends on:
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
Versions of packages libnss-ldap recommends:
ii libpam-ldap 184-4.2 Pluggable Authentication Module fo
ii nscd 2.7-18 GNU C Library: Name Service Cache
libnss-ldap suggests no packages.
-- debconf information:
libnss-ldap/rootbindpw: (password omitted)
libnss-ldap/bindpw: (password omitted)
libnss-ldap/dblogin: false
libnss-ldap/override: true
shared/ldapns/base-dn: dc=example,dc=net
shared/ldapns/ldap-server: ldapi:///
libnss-ldap/confperm: false
libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net
shared/ldapns/ldap_version: 3
libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
libnss-ldap/nsswitch:
libnss-ldap/dbrootlogin: true
--- End Message ---
--- Begin Message ---
I'm going through all the libnss-ldap bugs in order to clean up the list
and try to address most of the remaining issues.
Re-reading the issue (and #541188) the likely candidates for the cause
of this bug are:
- a bug in nscd (if you can still reproduce the bug, please indicate
whether you have nscd installed)
- the confoguration of /etc/nsswitch.conf
(since the original reported used simple authentication to the LDAP
server, the Kerberos TGT expiry seems unlikely)
If anyone can reproduce the problem with a recent version of
libnss-ldap, feel free to re-open this bug or file a new one.
Thanks,
--
-- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
--- End Message ---
