[CentOS] nsswitch.conf, ldap, local groups problem

Wed Aug 27 21:07:26 UTC 2008
Mark Hennessy <mark at hennessy.cx>

Quoting Craig White <craigwhite at azapple.com>:

> On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
>> Quoting Craig White <craigwhite at azapple.com>:
>>
>> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
>> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
>> >> this problem.
>> >>
>> >> Hello, I'm seeing a weird problem that perhaps someone has run into
>> >> with groups.
>> >>
>> >> First, a little background.
>> >> I was made aware of a problem with CentOS 5 where if the nscd password
>> >> cache is clear and
>> >> someone tries to log in if there is no network connection with an LDAP
>> >> account that it
>> >> just hangs.  Even worse, if the machine is rebooted and it continues
>> >> to have no network
>> >> connection, even root login doesn't work.  I messed around with
>> >> nsswitch.conf to fix this
>> >> problem.
>> >>
>> >> I altered these lines as so:
>> >> passwd:     files [!NOTFOUND=return] ldap
>> >> shadow:     files [!NOTFOUND=return] ldap
>> >> group:      files [!NOTFOUND=return] ldap
>> >>
>> >> and the problem seemed to go away.
>> >>
>> >> But now, here's the weird stuff:
>> >> I have defined in my local /etc/groups file this line:
>> >> group1:x:100:apache
>> >> group2:x:101:apache
>> >>
>> >> 'getent group groupname' shows the right info:
>> >> # getent group group1
>> >> group1:x:100:apache
>> >>
>> >> # sudo -u apache bash
>> >> $ groups
>> >> apache
>> >>
>> >> I revert back to my old config:
>> >> # sudo -u apache bash
>> >> $ groups
>> >> apache group1 group2
>> >>
>> >> Also, something else that's interesting. If I do this:
>> >> passwd:     files [!NOTFOUND=return] ldap
>> >> shadow:     files [!NOTFOUND=return] ldap
>> >> group:      ldap [NOTFOUND=continue] files
>> >>
>> >> and reboot, udev segfaults and the system freezes up after a few
>> >> more seconds.
>> >> Starting udev: /sbin/start_udev: line 43:   519 Segmentation fault
>> >>   "$@" $ARGS
>> >> /sbin/start_udev: line 201:   523 Segmentation fault      /sbin/udevd -d
>> >> Wait timeout. Will continue in the background.[FAILED]
>> >>
>> >> Any advice?
>> > ----
>> > Try putting this at the bottom of /etc/ldap.conf
>> >
>> > timelimit 30
>> > bind_timelimit 30
>> > bind_policy soft
>> > nss_initgroups_ignoreusers root,ldap
>> >
>> > I wouldn't recommend the changes that you have in nsswitch.conf
>>
>> Unfortunately, that doesn't work either.
>> I made the changes, shut down the machine and started it without
>> networking, and here's what happens:
>>
>> login: root
>> Password:
>>
>> login:
>>
>> login pukes and init starts it again.
> ----
> you shouldn't need to restart but if you can't login as root, you
> probably still have something messed up in /etc/nsswitch.conf or may
> have messed up /etc/passwd | /etc/shadow
>
> can you login as a user and su - to root?
>
> if not, it probably would be best to boot to runlevel 1 and
> edit /etc/nsswitch.conf so it has this...
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
>
> and remove the NOTFOUND entries

Yes, done.
Without networking, still the login failure trouble.

With networking, no trouble at all, but with those timeouts of 30  
seconds and without those changes to nsswitch.conf, it takes a while  
for the first root login to succeed even though it is using local auth.

>
> Craig
>