[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Rune: just google for nscd problems, it has a long history of stability issues. But on top of the issues caused by poor implementation, it also has problems due to an inherently inadequate design. Some of these issues are outlined in my LDAPCon presentation linked above. All of this is well documented, I don't think it bears repeating in this already- too-long bug report. (Just bringing this report up on my Seamonkey browser drags the browser to its knees.) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Potential gnutls fix: do gcrypt initialization as long it isn't already finished. probably a bad idea. ** Attachment added: "potential gnutls fix" http://launchpadlibrarian.net/45701794/dif2.txt -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
There is always the chance of something crashing, no matter how you fix this problem! Of course having a sudoable (or root) account in the local passwd database would remove a lot of the uncertainty that comes from relying on network for resolving users. Several has commented that nscd is unstable. However, I see no launchpad bug documenting this. I have had no problems with nscd and it seems muzzol hasn't either. Also, I have had no problems with libnss-ldapd. So both are possible workarounds. The suggested release note from mathias gug doesn't really provide an acceptable workaround as it essentially disables the use of ldap for resolving users. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Probably the best fix: don't call global_init when setting the thread callbacks. ** Attachment added: "potential libgcrypt fix" http://launchpadlibrarian.net/45701569/dif1.txt -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I read all of the diffs between 1.4.1 and 1.4.4 but didn't find any likely suspects. However, tracing the library initialization in gdb, I found the specific problem. Ordinarily gnutls will initialize the gcrypt library, if no app has done so already. In the gnutls initialization, it specifically turns gcrypt's secure malloc off, and everything works fine. However, in my trace on Lucid, libnss-ldap is linked to libldap_r, not libldap. And because libldap_r has to support threads, it is required to initialize libgcrypt's thread callbacks, and it must do this before doing anything else with libgcrypt or gnutls. http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading The problem with that is, once we do this thread initialization, libgcrypt considers itself fully initialized. When we next call gnutls's init function, it checks to see if gcrypt is init'd or not, sees that it is, and skips any further init'ing. So the secure malloc stuff remains enabled. I guess in this case we could do the initialization that gnutls skips, but that's rather ugly, libldap shouldn't have to know or duplicate the initialization steps inside gnutls_global_init(). Alternatively, libgcrypt could be changed to not call its global_init() right after setting the thread callbacks, since it's obvious that the caller still has other initialization calls that it needs to make. (Frankly I think this is the correct option.) Finally, gnutls_global_init() could be changed to check for initialization_finished, instead of initialization_started. (i.e., check for GCRYCTL_INITIALIZATION_FINISHED_P, instead of GCRYCTL_ANY_INITIALIZATION_P). But this latter is pretty dicey, gnutls really has no way to know if it should be meddling in a half-initialized libgcrypt or not. I'm trying really hard not to say "I told you so" again, but I just can't stop myself. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
2010/4/27 Hark : > Rune: The first solution (nscd) is not waterproof as nscd tends to crash > quite often (and thus revoking your ability to do su or sudo as ldap > user) > i use a combination of LDAP + NSCD + cached credentials (ccreds) and i can do su or sudo without problems. -- ^ ^ O O (_ _) muzzol(a)muzzol.com jabber id: muzzol(a)jabber.dk No atribueixis qualitats humanes als ordinadors. No els hi agrada. "El gobierno español sólo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jiménez Losantos bomb terrorism bush aznar teletubbies -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Rune: The first solution (nscd) is not waterproof as nscd tends to crash quite often (and thus revoking your ability to do su or sudo as ldap user) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
The workarounds available AFAIK is: - install nscd - or replace libnss-ldap with libnss-ldapd (and nslcd) Both workarounds worked for me on karmic. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Mathias: IIRC, the compat workaround only works if you have all users in the local passwd database. You still won't be able to use sudo, or run any other setuid binary that uses nss-services, for users that don't exist in the local passwd database. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
According to the reporter this configuration used to work in jaunty. libgrypt11 version is 1.4.1-2ubuntu1. It seems that something changed/broke between 1.4.1 and 1.4.4. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Lucid release note: Upgrading systems configured to use ldap via ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution afterwards (for example sudo would stop working). A workaround is to configure ldap to be used after the compat service in nsswitch.conf before the upgrade is started. ** Also affects: ubuntu-release-notes Importance: Undecided Status: New -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Updating statuses based on Howard feedback in comment 62. ** Changed in: eglibc (Ubuntu Karmic) Status: New => Invalid ** Changed in: eglibc (Ubuntu Lucid) Status: New => Invalid ** Changed in: libnss-ldap (Ubuntu Karmic) Status: New => Invalid ** Changed in: libnss-ldap (Ubuntu Lucid) Status: New => Invalid ** Changed in: sudo (Ubuntu Karmic) Status: New => Invalid ** Changed in: sudo (Ubuntu Lucid) Status: New => Invalid ** Changed in: libgcrypt11 (Ubuntu Karmic) Importance: Undecided => Medium ** Changed in: libgcrypt11 (Ubuntu Karmic) Status: New => Triaged ** Changed in: libgcrypt11 (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: libgcrypt11 (Ubuntu Lucid) Status: New => Triaged -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
If I can try to summarize the situation on this bug: - This is a regression from hardy. This use to work on hardy. - We document using tls for LDAP authentication in the server guide The most annoying point IMHO, is that someone who has root access to his server with a LDAP account with sudo, will not be able to get root access after upgrading. If we are not able to fix this before release (which is highly probable considering where we are in the release cycle), I think it worth some words in the release notes. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
mathias, could you clarify if there is anything we can do here pre-Lucid release ? ** Changed in: sudo (Ubuntu Lucid) Assignee: (unassigned) => Mathias Gug (mathiaz) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Looking at the gcrypt code, it seems this bug should be reported against that; this whole secmem implementation (1) requires a program to be started as root (setuid) and (2) always drops the root priv when it has initialized its secure memory. These behaviors would certainly interfere with any setuid programs normal behavior. Seems like a design flaw in libgcrypt, as the docs http://www.gnupg.org/documentation/manuals/gcrypt /Initializing-the-library.html#Initializing-the-library state that the application is responsible for controlling this behavior. Apps that are unaware that they are using gcrypt (because it came in implicitly through gnutls, thru libldap, thru nss) are SOL. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Right, given the timing for the Lucid release it's probably way too late. I can't comment on your experience with nslcd as I have never used its code or read it in depth. The stub library and nssov have been pretty well tested internally in Symas; since the stub library is almost entirely cookie-cutter code it's known to be bug-free. At the risk of sounding like a commercial, I should note that Symas is offering standalone packages for free evaluation (our SUUMv4 product, based on nssov). A number of our customers have migrated successfully, it's an easy transition. In the meantime, for this bug, it looks like gcrypt uses its internal secure malloc function if the app didn't set any overrides. I'm not sure that making libldap override the secure malloc is a good idea, since some apps may still want that secure malloc behavior. And any app that explicitly uses gnutls or libgcrypt may get its preference silently overridden by libldap, or vice versa. Again, the only safe way to address this bug is by taking libldap/nss_ldap out of the application's address space. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Howard, I have longingly looked at libnss-ldapd for almost 4 years now, and absolutely agree it has a better architecture, cleaner code etc., and is a sensible long-term migration path. (The other possibly being sssd.) But multiple test migrations in my LDAP deployments always turned up some show-stopper problem or another. The last of these happend 3-4 months ago with ubuntu workstations, running an up-to-date karmic client-side (actually triggered by trying to work around exactly this bug). If the server team decides they want to try migrating for lucid, i'd be the first to offer help testing. But I sure don't see this happening before lucid+1. Disclaimer: haven't tried the caching slapd with nssov yet, only nslcd, because i need at least an incremental migration path. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I'd be happy to write a patch for the documentation. And given all of the problems with the design (and implementation) of libnss-ldap, I'd say any analysis will show that libnss-ldapd is still the path of lowest risk and greatest stability. (In particular, when used with OpenLDAP nssov.) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Howard: I really agree that the libnss-ldapd design is much cleaner and a better alternative in the long run (e.g., doing client certificates with libnss-ldap would be "interesting"). However, the documented way [1] of using ldap for authentication uses libnss-ldap, so this should be supported or the documentation needs to be changed. Besides, I think a lot of organizations would be hesitant to migrate to libnss-ldapd. https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
You can find detailed design docs at its home page http://arthurdejong.org/nss-pam-ldapd/ You can also find my LDAPCon2009 presentation on the subject here http://www.symas.com/ldapcon2009/papers/hyc1.shtml -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Howard, a quick google didn't show much other than package info for libnss-ldapd. Do you have any links to documentation that might be of use? We're about to do a major ldap rollout for our servers at work and I want to know as much as I can ahead of time. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Regardless of what the root cause turns out to be, you guys really need to switch to libnss-ldapd, which will reliably isolate the user apps from whatever junk is going on inside libldap / gnutls / whatever. (And if you're not using the latest version, which also handles pam_ldap, then you need to update.) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Great find, Andreas. So gnutls is calling gcrypt's secure memory functions. And yet, the gnutls docs say these functions are not used by default, and certainly OpenLDAP does not configure gnutls to use them. Something else in the stack must be setting that behavior. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
** Also affects: libgcrypt11 (Ubuntu) Importance: Undecided Status: New -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I managed to get a core-dump from a test program (a nice little hack that debugs the test application and core dumps it when it executes the setuid syscall) that reproduces the bug. The following stack trace might be of interest: #0 __nptl_setxid (cmdp=0x7fff1439ad00) at allocatestack.c:1135 #1 0x7f41dda052fb in __setuid (uid=) at ../sysdeps/unix/sysv/linux/setuid.c:26 #2 0x7f41db005124 in lock_pool (n=) at secmem.c:296 #3 secmem_init (n=) at secmem.c:477 #4 0x7f41db0052da in _gcry_secmem_malloc_internal (size=128) at secmem.c:509 #5 0x7f41db005368 in _gcry_secmem_malloc (size=128) at secmem.c:544 #6 0x7f41db00084d in do_malloc (n=1000, flags=1000, mem=0x7fff1439adb8) at global.c:730 #7 0x7f41db00087c in _gcry_malloc_secure (n=1000) at global.c:769 #8 0x7f41db0130c0 in md_open (h=0x7fff1439ae28, algo=1, secure=, hmac=) at md.c:487 #9 0x7f41db0131ea in _gcry_md_open (h=0x7fff1439af18, algo=1000, flags=) at md.c:530 #10 0x7f41dbd03c0f in wrap_gcry_mac_init (algo=, ctx=0x3e8) at mac-libgcrypt.c:42 #11 0x7f41dbcea127 in _gnutls_hmac_init (dig=0x7fff1439af10, algorithm=GNUTLS_MAC_MD5, key=0x10afbc0, keylen=24) at gnutls_hash_int.c:277 #12 0x7f41dbcfad78 in _gnutls_P_hash (algorithm=, secret=, secret_size=, seed=, seed_size=, total_bytes=, ret=0x7fff1439b170 "\231\376~", ) at gnutls_state.c:811 #13 0x7f41dbcfafca in _gnutls_PRF (session=, secret=, secret_size=, label=, label_size=, seed=0x7fff1439b570 "K\310\331\346-\364\310*~E%\026\223g\216\323K֜\272^1\270Fn\025\254\307`\235%\rK\310\331\345\267\337\023y\314Tn\262-\277\236S\017\362B\237W\220\017\366H\035\372͟5\204\027\001", seed_size=, total_bytes=48, ret=0x10b2552) at gnutls_state.c:926 #14 0x7f41dbce883f in generate_normal_master (session=0x10b2530, keep_premaster=0) at gnutls_kx.c:155 #15 0x7f41dbcf35bb in _gnutls_connection_state_init (session=0x3e8) at gnutls_constate.c:434 #16 0x7f41dbce43f8 in _gnutls_send_handshake_final (session=0x10b2530, init=1) at gnutls_handshake.c:2472 #17 0x7f41dbce45d5 in _gnutls_handshake_common (session=0x10b2530) at gnutls_handshake.c:2700 #18 0x7f41dbce5c67 in gnutls_handshake (session=0x10b2530) at gnutls_handshake.c:2297 #19 0x7f41dd3196de in ?? () from /usr/lib/libldap_r-2.4.so.2 #20 0x7f41dd3184a2 in ?? () from /usr/lib/libldap_r-2.4.so.2 #21 0x7f41dd318703 in ldap_int_tls_start () from /usr/lib/libldap_r-2.4.so.2 #22 0x7f41dd5338fc in ?? () from /lib/libnss_ldap.so.2 #23 0x7f41dd533f29 in ?? () from /lib/libnss_ldap.so.2 #24 0x7f41dd534832 in ?? () from /lib/libnss_ldap.so.2 #25 0x7f41dd534bbd in ?? () from /lib/libnss_ldap.so.2 #26 0x7f41dd5352b7 in _nss_ldap_getpwnam_r () from /lib/libnss_ldap.so.2 #27 0x7f41dda0345d in __getpwnam_r (name=0x4017d4 "foo", resbuf=0x7f41ddcd8ce0, buffer=0x107f010 "nslcd", buflen=1024, result=) at ../nss/getXXbyYY_r.c:253 #28 0x7f41dda02e40 in getpwnam (name=0x4017d4 "foo") at ../nss/getXXbyYY.c:117 #29 0x00401202 in main (argc=1, argv=0x7fff1439c538) at debug.c:175 Stack frame 2 (secmem.c:296 in libgcrypt) is of particular interest. The code looks like this (with uid = getuid()): if (uid && ! geteuid ()) { /* check that we really dropped the privs. * Note: setuid(0) should always fail */ if (setuid (uid) || getuid () != geteuid () || !setuid (0)) log_fatal ("failed to reset uid: %s\n", strerror (errno)); } This is clearly not what we want... :( -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Debugging this one proved to be pretty tricky. GDB has a nasty habit of loosing control over the debuggee (bug #563361). I've managed to find out that setuid is called from nptl/allocatestack.c:__nptl_setxid in eglibc, but I haven't succeeded in getting a stack trace. If I understand things correctly, this routine is called from a signal handler installed by pthreads. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
On Wed, Apr 14, 2010 at 06:35:10AM -, Bolesław Tokarski wrote: > > I do not know if this solution would be acceptable for Debian, due to > some license concerns. > Ubuntu follows the same principle as Debian in terms of licensing. Openldap cannot be compiled with openssl due to the conflict between the license of programs linked to libldap and OpenSSL license: program (Program license) <-linked-> libldap <-linked-> libssl (OpenSSL license) We have programs in the archive which license is incompatible with OpenSSL license. -- Mathias Gug Ubuntu Developer http://www.ubuntu.com -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Why would openssl be a problem? It is included in debian http://packages.debian.org/sid/openssl -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I can confirm that this is a show stopper for lots of companies. For example in the company where I work we are planning to upgrade lots of machines from Hardy to Lucid, but this won't happen before this bug has been solved. And I don't expect we are going to compile ldap with a custom option on each server. By the way I don't understand the fun of GnuTLS. It has caused us a lot of trouble in the past. Was licensing the only reason to replace openssl? -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Yes, the problem went away, when I installed libldap, which I compiled with openssl. apt-get source libldap Edit openldap-2.4.21/debian/configure.options to change --with-tls=gnutls to --with-tls=openssl (do not forget to install the libssl-dev package and build-depends for openldap) debian/rules binary-arch That solves the problem on Karmic. I hope it is going to be solved on the LTS. I was intending to use that for corporate workstations. The fewer manual modifications the better. I do not know if this solution would be acceptable for Debian, due to some license concerns. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I was suspecting this was the case, I was meaning to try this myself but got caught up in doing more urgent things (paper deadline). I think liking with OpenSSL is an acceptable solution if this fixes this issue. Anyway this bug is really a show stopper for using Ubuntu in a lot of companies, so it should be fixed prior to the LTS release. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I agree. gnutls is often the source of strange, unforseen errors. I'd also vote to replace it with the reliable and proven openssl. So linking libldap2 with openssl fixes this issue? -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I worked around the problem by recompiling libldap2 with openssl. It seems there is either a bug in GnuTLS or some kind of interface bug between ldap and gnutls. This is not the first problem I encountered with openldap and gnutls. Maybe we should link openldap with openssl in the distro? -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
@Andreas: wow, that explains a lot, especially why installing nscd seems to help. Because if nscd is not running, the libnss_ldap function getpwnam() resolves to will run in process, and someone in there (libgnutls ?) does the priviledge drop. Good catch, let's investigate further. ** Changed in: sudo (Kairos Linux) Importance: Undecided => High ** Changed in: sudo (Kairos Linux) Status: New => Confirmed ** Changed in: sudo (Kairos Linux) Assignee: (unassigned) => Philipp Kaluza (pixelpapst) -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
It seems like this wan't an error in the handling of the setuid bit after all. It seems like the EUID is reset to UID after getpwnam is called. Attaching a simple test program. Compile and change the owner to root and set the setuid bit. Expected output: EUID0: 0, EUID1: 0 On systems with broken LDAP support (EUID1 will be set to the UID of the process): EUID0: 0, EUID1: 1000 ** Attachment added: "getpwnam_xid_test.c" http://launchpadlibrarian.net/43116436/getpwnam_xid_test.c -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
I'm also experiencing this issue in the latest Lucid beta. When I started investigating, I found that the system does not obey the setuid bit on /bin/su if I'm running it as a user in the LDAP database. However, running as a local user works as expected. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Finally got a chance to revisit this after post #29 above. For that servers config I still had a local /etc/passwd entry for the affected account and so was not triggering the described su and sudo symptoms. On Karmic with: libnss-ldap 261-2.1ubuntu4 sudo 1.7.0-1ubuntu2.1 login 1:4.1.4.1-1ubuntu2 Without an /etc/passwd entry and an otherwise working libnss-ldap setup sudo returns sudo: setreuid(ROOT_UID, user_uid): Operation not permitted and su fails with su: Authentication failure Tests: With libnss-ldap, su and sudo fail. With nscd and libnss-ldap, su and sudo work. With libnss-ldapd, with or without nscd, su and sudo work. As root, getent returns passwd entries correctly for all the above cases. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
** Changed in: sudo (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: libnss-ldap (Ubuntu Lucid) Importance: Undecided => Medium -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Bug still present under the latest lucid beta. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Since 8.10 (Intrepid), the Ubuntu Server Guide section regarding LDAP authentication references the auth-client-config and libnss-ldap packages. However, following these instructions when using LDAP with TLS breaks various authentication functions in 9.10 (Karmic). After determining this issue still exists (nearly 7 months later) in the beta release of 10.04 (Lucid), I began looking for new workarounds. I found a package first available in Karmic, nslcd, which also installs libnss- ldapd, nscd, and several other dependencies. All of the latter packages exist in the 'universe' component. I removed the nscd package for testing purposes. Using the configuration provided in the opening post for this bug report, 'su' and 'sudo' now function properly. Although I'm still unsure as to the exact origin of this issue (e.g., eglibc, libnss-ldap, sudo, etc.), replacing libnss-ldap with libnss-ldapd probably provides the core of this workaround. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
It would help to understand if the problem is with eglibc, sudo, or libnss-ldap. ** Package changed: glibc (Ubuntu) => eglibc (Ubuntu) ** Also affects: libnss-ldap (Ubuntu) Importance: Undecided Status: New ** Also affects: eglibc (Ubuntu Lucid) Importance: Undecided Status: Confirmed ** Also affects: libnss-ldap (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: eglibc (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: libnss-ldap (Ubuntu Karmic) Importance: Undecided Status: New ** Changed in: eglibc (Ubuntu Karmic) Status: New => Invalid ** Changed in: eglibc (Ubuntu Lucid) Status: Confirmed => Invalid ** Changed in: eglibc (Ubuntu Karmic) Status: Invalid => New ** Package changed: eglibc (Ubuntu Karmic) => sudo (Ubuntu Karmic) ** Changed in: sudo (Ubuntu Lucid) Status: Invalid => New ** Also affects: eglibc (Ubuntu) Importance: Undecided Status: New -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs