On Wed, Aug 12, 2009 at 06:20:37PM +0200, Nico Schottelius wrote: > Steve Langasek [Wed, Aug 12, 2009 at 09:14:51AM -0700]: > > On Wed, Aug 12, 2009 at 12:15:03PM +0200, Nico Schottelius wrote: > > > It seems that pam has a bug that is triggered after some time, that > > > "forgets" about the users: > > > > This is not a PAM bug, you appear to have a bug of some kind in your NSS > > configuration.
> Well, if this is a configuration issue, why does it appear *after* some > amount of time and *not* directly? Most likely: your LDAP setup is broken and only allows the machine to query the LDAP user directory when using GSSAPI authentication, while making no provisions for the availability of persistent system-level Kerberos credentials, so instead the LDAP lookups only work when something on the system has "primed" the connection with a Kerberos TGT and stops working when the tickets expire (by default, after 8 hours). > > The 'nobody' user should *always* be a local user; this should resolve > > correctly even if the LDAP server is down. If you don't have the 'nobody' > > user in /etc/passwd, that's a configuration error. If you have the 'nobody' > > user in /etc/passwd but NSS fails to return the record because of some > That's the case here: > [16:58] ikn2:~% ssh r...@host grep -e sshd -e nobody /etc/passwd > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin Then your /etc/passwd is correct, but you have a broken NSS setup. This may be a bug in libnss-ldap (if you're using the nss_ldap provided by that Debian package), or it may be as simple as removing the atypical '[UNAVAIL=return]' from the end of your lines in /etc/nsswitch.conf. But either way, please consult debian-user or another suitable support forum; I'm not going to further debug your configuration in this (misfiled) bug report. > > credentials caching issue, then you have some NSS module bug or NSS > > configuration error. Either way, this is not a bug in pam. > Agreed, sorry, maybe the wrong package. > Can you reassign to libnss3-1d, please? That's not the NSS we're talking about. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org