On Mon, 2020-02-17 at 21:57 +0100, Ingo wrote: > On first login after boot up on the linux console with a local user I > have to wait one minute to get a shell prompt. After first login I > can logoff and login as usual without delay.
This is weird. I suspect this is related to the mechanism that nslcd uses to authenticate itself to the LDAP server. I'm afraid I don't know all the details of SASL/GSSAPI/Kerberos protocols and how OpenLDAP uses them. > The account is a local unix account with entries in /etc/passwd and > /etc/group and does not has a posixAccount on the ldap directory. > Authorization against the ldap server is done with SASL Proxy > Authorization. One way to work around this particular problem is to use the nss_initgroups_ignoreusers option to exclude group lookups for local user accounts. > The bug is only seen when quering for the group account. This can > simply verified with removing the 'ldap' postfix at the line > group: files ldap > in /etc/nsswitch.conf. Without 'ldap' on that line I can first login > after boot up without delay. The reason that this lookup occurs is because nslcd supports having local users in LDAP groups (the NSS subsystem generally supports this). On login the secondary groups of a user are looked up resulting in this LDAP search. > As shown in the debug log below the dbus-daemon is timing out the > attempt of nslcd to connect to the ldap server. The logs show two queries: a lookup for the groups of user local which comes from the login process (pid 362) and one for the groups of user nslcd which comes from dbus-daemon (pid 345). Apparently, some part of the SASL/GSSAPI/Kerberos authentication triggers a dbus lookup. The dbus authentication (the second query in nslcd) fails with a timeout and the whole thing fails. If that is true nss_initgroups_ignoreusers nslcd should be sufficient to fix this. Can you confirm? -- -- arthur - adej...@debian.org - https://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part