On Wed, 2008-08-27 at 17:07 -0400, Mark Hennessy wrote:
Quoting Craig White craigwhite@azapple.com:
On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
Quoting Craig White craigwhite@azapple.com:
On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing this problem.
Hello, I'm seeing a weird problem that perhaps someone has run into with groups.
First, a little background. I was made aware of a problem with CentOS 5 where if the nscd password cache is clear and someone tries to log in if there is no network connection with an LDAP account that it just hangs. Even worse, if the machine is rebooted and it continues to have no network connection, even root login doesn't work. I messed around with nsswitch.conf to fix this problem.
I altered these lines as so: passwd: files [!NOTFOUND=return] ldap shadow: files [!NOTFOUND=return] ldap group: files [!NOTFOUND=return] ldap
and the problem seemed to go away.
But now, here's the weird stuff: I have defined in my local /etc/groups file this line: group1:x:100:apache group2:x:101:apache
'getent group groupname' shows the right info: # getent group group1 group1:x:100:apache
# sudo -u apache bash $ groups apache
I revert back to my old config: # sudo -u apache bash $ groups apache group1 group2
Also, something else that's interesting. If I do this: passwd: files [!NOTFOUND=return] ldap shadow: files [!NOTFOUND=return] ldap group: ldap [NOTFOUND=continue] files
and reboot, udev segfaults and the system freezes up after a few more seconds. Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault "$@" $ARGS /sbin/start_udev: line 201: 523 Segmentation fault /sbin/udevd -d Wait timeout. Will continue in the background.[FAILED]
Any advice?
Try putting this at the bottom of /etc/ldap.conf
timelimit 30 bind_timelimit 30 bind_policy soft nss_initgroups_ignoreusers root,ldap
I wouldn't recommend the changes that you have in nsswitch.conf
Unfortunately, that doesn't work either. I made the changes, shut down the machine and started it without networking, and here's what happens:
login: root Password:
login:
login pukes and init starts it again.
you shouldn't need to restart but if you can't login as root, you probably still have something messed up in /etc/nsswitch.conf or may have messed up /etc/passwd | /etc/shadow
can you login as a user and su - to root?
if not, it probably would be best to boot to runlevel 1 and edit /etc/nsswitch.conf so it has this...
passwd: files ldap shadow: files ldap group: files ldap
and remove the NOTFOUND entries
Yes, done. Without networking, still the login failure trouble.
With networking, no trouble at all, but with those timeouts of 30 seconds and without those changes to nsswitch.conf, it takes a while for the first root login to succeed even though it is using local auth.
---- do you have this line in /etc/pam.d/system-auth
account sufficient pam_localuser.so
???
What does your /etc/pam.d/system-auth look like?
Craig