Re: OpenLDAP/SSH : sshd[1414]: fatal: login_get_lastlog: Cannot find account for uid 1000

From: O. Hartmann <ohartman_at_mail.zedat.fu-berlin.de>
Date: Sat, 25 Apr 2009 18:32:46 +0200
Kostik Belousov wrote:
> [Removed questions]
>
> On Fri, Apr 24, 2009 at 04:16:51PM +0200, Ruben de Groot wrote:
>   
>> On Fri, Apr 24, 2009 at 12:34:01PM +0200, Ivan Voras typed:
>>     
>>> O. Hartmann wrote:
>>>       
>>>> Since several months after a upgrade from OpenLDAP 2.4.11 to the most
>>>> recent one I have trouble login in on machines which authenticate users
>>>> via OpenLDAP.
>>>>
>>>>         
>>> I've just installed a fresh machine with FreeBSD 7.2 amd64 and OpenLDAP
>>> 2.4.latest and it works. The only difference might be that I'm using nscd.
>>>
>>> Have you modified /etc/pam.d files?
>>>       
>> I had a problem with nss_ldap and openldap over ssl. This patch fixed it:
>>
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=133501&cat=ports
>>     
>
> Actually, bug reports against threading library in 7.0/7.1 should
> be rechecked against upcoming 7.2, since libthr got a complete sync
> with HEAD. In particular, several issues were fixed that are related
> to fork and threads interaction.
>
> If the issue is still present in 7.2, then the best way to start some
> progress is to get isolated failing test case for libthr.
>   
The problem I specifically mentioned affects the same way a pure FreeBSD
8.0-CURRENT/amd64 installation and is identical to that what I see with
FreeBSD 7.2-STABLE.

I change the order of look-for-targets in /etc/nsswitch.conf:

previously not working and triggering issues I reported:

group: files ldap
passwd: files ldap

working after exchanging order:

group: ldap files
passwd: ldap files

This is weird! After I changed that, the first attempt issuing the
passowrd now takes 20 seconds to respond even for local users, if I hit
return for the first passwd-attempt and issuing the passd on second
attempt runs immediately towards expected login.

Intention of having first files looked up was: sometimes LDAP is dead or
we make tests and can not reach LDAP, so we need to login via local
stored users. Having first LDAP consulted makes a login a desaster:
after a minute some boxes cancel login attempt caused by timeout. That's
fun.

Even with

passwd: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]
group: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]

it fails. There is something wrong, not specifically with 7.2.

Oliver
Received on Sat Apr 25 2009 - 14:32:19 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:46 UTC