Package: libnss-ldap
Version: 261-2.1
Severity: critical
Hello!
As reported in bug 541188 and on the Debian users mailinglist
(ldap/libnss/ssh: (remote) login stops working after some time,
Thu, 3 Sep 2009 12:02:34 +0200), login stops to work via ssh and
partly locally after some weeks or days: If this case happens, I
- cannot login as root (neither locally, nor remotely)
- cannot login as an ldap user remotely
The error I get from ssh is
r...@ikq3.inf.ethz.ch: ssh_exchange_identification: Connection closed
by remote host
The current "fix":
If I login locally as a ldap-user, I CAN login and after that I can
again login remotely, as root and as ldap user.
As Debian Lenny is installed on almost all of our cluster nodes, this is causing
a lot of trouble, as local login is very expensive for us.
If you have any hint on what could be wrong (i.e. configuration / libs / etc.)
or if you are aware of any bug in libnss* or libpam, please let me know.
The current configuration does *not* contain the debug statements anymore, that
I reported previously:
ikq3:~# grep -v ^# /etc/ldap/ldap.conf | grep -v -e ^bindpw -e ^binddn
uri ldaps://ldaps01.ethz.ch ldaps://ldaps02.ethz.ch ldaps://ldaps03.ethz.ch
host ldaps01.ethz.ch ldaps02.ethz.ch ldaps03.ethz.ch
base ou=systems,ou=inf,ou=auth,o=ethz,c=ch
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_lookup_policy no
nss_base_passwd ou=users,ou=systems,ou=inf,ou=auth,o=ethz,c=ch
nss_base_group ou=Group,ou=inf,ou=auth,o=ethz,c=ch
nss_base_netgroup ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch
ssl yes
tls_checkpeer no
tls_reqcert allow
tls_cacertfile /etc/ldap/ca.pem
ikq3:~#
ikq3:~# grep -v ^# /etc/libnss-ldap.conf | grep -v -e ^bindpw -e ^binddn | grep
-v ^\$
uri ldaps://ldaps01.ethz.ch ldaps://ldaps02.ethz.ch ldaps://ldaps03.ethz.ch
base ou=systems,ou=inf,ou=auth,o=ethz,c=ch
port 636
pam_filter objectclass=account
pam_login_attribute uid
pam_lookup_policy no
nss_base_passwd ou=users,ou=systems,ou=inf,ou=auth,o=ethz,c=ch
nss_base_group ou=Group,ou=inf,ou=auth,o=ethz,c=ch
nss_base_netgroup ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch
ssl yes
tls_checkpeer no
tls_reqcert allow
tls_cacertfile /etc/ssl/certs/id.pem
ikq3:~#
ikq3:~# grep -v ^# /etc/nsswitch.conf|grep -v ^\$
passwd: files ldap
group: files ldap
shadow: files
hosts: files dns
networks: files
services: db files
protocols: db files
rpc: db files
ethers: db files
netgroup: files ldap
ikq3:~#
Example log entries, right before and when the problem has begun:
Oct 25 21:12:09 ikq3 ntpd[29666]: Terminating
Oct 25 21:12:10 ikq3 puppetd[4049]: Finished catalog run in 21.47 seconds
Oct 25 21:13:23 ikq3 ntpd[29675]: adjusting local clock by -0.151286s
Oct 25 21:15:01 ikq3 /USR/SBIN/CRON[29685]: (root) CMD ([ -x
/usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" =
"true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; })
Oct 25 21:17:01 ikq3 /USR/SBIN/CRON[29695]: (root) CMD ( cd / && run-parts
--report /etc/cron.hourly)
Oct 25 21:24:51 ikq3 ntpd[29675]: adjusting local clock by -0.146785s
Oct 25 21:25:01 ikq3 CRON[29723]: Authentication failure
Oct 25 21:28:47 ikq3 postfix/pickup[29737]: fatal: file /etc/postfix/main.cf:
parameter default_privs: unknown user name value: nobody
Oct 25 21:28:48 ikq3 postfix/master[14129]: warning: process
/usr/lib/postfix/pickup pid 29737 exit status 1
Oct 25 21:28:48 ikq3 postfix/master[14129]: warning: /usr/lib/postfix/pickup:
bad command startup -- throttling
Oct 25 21:35:01 ikq3 CRON[29769]: Authentication failure
Oct 25 22:12:24 ikq3 puppetd[4049]:
(//Node[ikq3]/ethz_systems::generic/ethz/File[/etc/ethz]) Failed to retrieve
current state of resource: Could not find user root
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_CH.UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldap depends on:
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
Versions of packages libnss-ldap recommends:
ii libpam-ldap 184-4.2 Pluggable Authentication Module fo
ii nscd 2.7-18 GNU C Library: Name Service Cache
libnss-ldap suggests no packages.
-- debconf information:
libnss-ldap/rootbindpw: (password omitted)
libnss-ldap/bindpw: (password omitted)
libnss-ldap/dblogin: false
libnss-ldap/override: true
shared/ldapns/base-dn: dc=example,dc=net
shared/ldapns/ldap-server: ldapi:///
libnss-ldap/confperm: false
libnss-ldap/rootbinddn: cn=manager,dc=example,dc=net
shared/ldapns/ldap_version: 3
libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
libnss-ldap/nsswitch:
libnss-ldap/dbrootlogin: true
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
