[CentOS] nsswitch.conf, ldap, local groups problem
Craig White
craigwhite at azapple.com
Wed Aug 27 19:03:54 UTC 2008
On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
> Quoting Craig White <craigwhite at azapple.com>:
>
> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
> >> this problem.
> >>
> >> Hello, I'm seeing a weird problem that perhaps someone has run into
> >> with groups.
> >>
> >> First, a little background.
> >> I was made aware of a problem with CentOS 5 where if the nscd password
> >> cache is clear and
> >> someone tries to log in if there is no network connection with an LDAP
> >> account that it
> >> just hangs. Even worse, if the machine is rebooted and it continues
> >> to have no network
> >> connection, even root login doesn't work. I messed around with
> >> nsswitch.conf to fix this
> >> problem.
> >>
> >> I altered these lines as so:
> >> passwd: files [!NOTFOUND=return] ldap
> >> shadow: files [!NOTFOUND=return] ldap
> >> group: files [!NOTFOUND=return] ldap
> >>
> >> and the problem seemed to go away.
> >>
> >> But now, here's the weird stuff:
> >> I have defined in my local /etc/groups file this line:
> >> group1:x:100:apache
> >> group2:x:101:apache
> >>
> >> 'getent group groupname' shows the right info:
> >> # getent group group1
> >> group1:x:100:apache
> >>
> >> # sudo -u apache bash
> >> $ groups
> >> apache
> >>
> >> I revert back to my old config:
> >> # sudo -u apache bash
> >> $ groups
> >> apache group1 group2
> >>
> >> Also, something else that's interesting. If I do this:
> >> passwd: files [!NOTFOUND=return] ldap
> >> shadow: files [!NOTFOUND=return] ldap
> >> group: ldap [NOTFOUND=continue] files
> >>
> >> and reboot, udev segfaults and the system freezes up after a few
> >> more seconds.
> >> Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault
> >> "$@" $ARGS
> >> /sbin/start_udev: line 201: 523 Segmentation fault /sbin/udevd -d
> >> Wait timeout. Will continue in the background.[FAILED]
> >>
> >> Any advice?
> > ----
> > Try putting this at the bottom of /etc/ldap.conf
> >
> > timelimit 30
> > bind_timelimit 30
> > bind_policy soft
> > nss_initgroups_ignoreusers root,ldap
> >
> > I wouldn't recommend the changes that you have in nsswitch.conf
>
> Unfortunately, that doesn't work either.
> I made the changes, shut down the machine and started it without
> networking, and here's what happens:
>
> login: root
> Password:
>
> login:
>
> login pukes and init starts it again.
----
you shouldn't need to restart but if you can't login as root, you
probably still have something messed up in /etc/nsswitch.conf or may
have messed up /etc/passwd | /etc/shadow
can you login as a user and su - to root?
if not, it probably would be best to boot to runlevel 1 and
edit /etc/nsswitch.conf so it has this...
passwd: files ldap
shadow: files ldap
group: files ldap
and remove the NOTFOUND entries
Craig
More information about the CentOS
mailing list