Re: problem with nss_ldap

From: <tmclaugh_at_sdf.lonestar.org> Date: Mon, 16 Mar 2009 10:13:56 -0400 (EDT) · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:44 UTC

> Hartmut Brandt wrote:
>> On Sun, 15 Mar 2009, Tom McLaughlin wrote:
>>
>> TM>Hartmut Brandt wrote:
>> TM>> On Tue, 10 Mar 2009, Tom McLaughlin wrote:
>> TM>>
>> TM>> TM>Doug Rabson wrote:
<snip>
>
> Today I found this posting here having much trouble with authetication
> on some clients.
>
> After an update of the LDAP server from OpenLDAP 2.4.14 to 2.4.15 and
> updating db-4.6 to db-4.7 (all on the server, server runs FreeBSD
> 7.1-STABLE/i386), I have no luck log in via ssh on any client (client
> runs FreeBSD 8.0-CURRENT/amd64). Client has also db-4.7 and OpenLDAP
> 2.4.15 and I recompiled pam_ldap and nss_ldap when updated OpenLDAP
> 2.4.14 to OpenLDAP 2.4.15.
>
> Checking console log gives me this:
>
> Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot
> find account for uid 1000
> Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout()
> returned an error
>
>
> Checking sshd.log gives this:Mar 16 11:04:19 thusnelda sshd[1560]:
> Accepted keyboard-interactive/pam for user from XXX.XXX.XXX.XXX port
> 61861 ssh2
> Mar 16 11:04:19 thusnelda sshd[1563]: nss_ldap: could not get LDAP
> result - Can't contact LDAP server
> Mar 16 11:04:34 thusnelda sshd[1563]: nss_ldap: could not get LDAP
> result - Timed out
> Mar 16 11:04:34 thusnelda sshd[1560]: nss_ldap: could not search LDAP
> server - Server is unavailable
> Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot
> find account for uid 1000
> Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout()
> returned an error
>
> This happens now on all boxes running the most recent OpenLDAP 2.4.15.
>
> is there a serious issue we should PR?
>
> Thanks in advance,
> Oliver
>

Need a lot more info here.  The issue in this thread has been related to
GSSAPI and nss_ldap and manifests itself when you use krb5_ccname in the
nss_ldap.conf.  Is the problem only related to authentication?  Only sshd?
 If you're on the box does nss_ldap work fine and enumerate all users and
groups just fine?  Are only -CURRENT boxes showing problems?  What about
-STABLE?  When did everything break?  What do the ldap server logs say if
you have access to them?  (Might want to bump up the loglevel on openldap
too.)

tom