On Wed, 2008-08-27 at 17:07 -0400, Mark Hennessy wrote: > Quoting Craig White <craigwhite at azapple.com>: > > > On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote: > >> Quoting Craig White <craigwhite at azapple.com>: > >> > >> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote: > >> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing > >> >> this problem. > >> >> > >> >> Hello, I'm seeing a weird problem that perhaps someone has run into > >> >> with groups. > >> >> > >> >> First, a little background. > >> >> I was made aware of a problem with CentOS 5 where if the nscd password > >> >> cache is clear and > >> >> someone tries to log in if there is no network connection with an LDAP > >> >> account that it > >> >> just hangs. Even worse, if the machine is rebooted and it continues > >> >> to have no network > >> >> connection, even root login doesn't work. I messed around with > >> >> nsswitch.conf to fix this > >> >> problem. > >> >> > >> >> I altered these lines as so: > >> >> passwd: files [!NOTFOUND=return] ldap > >> >> shadow: files [!NOTFOUND=return] ldap > >> >> group: files [!NOTFOUND=return] ldap > >> >> > >> >> and the problem seemed to go away. > >> >> > >> >> But now, here's the weird stuff: > >> >> I have defined in my local /etc/groups file this line: > >> >> group1:x:100:apache > >> >> group2:x:101:apache > >> >> > >> >> 'getent group groupname' shows the right info: > >> >> # getent group group1 > >> >> group1:x:100:apache > >> >> > >> >> # sudo -u apache bash > >> >> $ groups > >> >> apache > >> >> > >> >> I revert back to my old config: > >> >> # sudo -u apache bash > >> >> $ groups > >> >> apache group1 group2 > >> >> > >> >> Also, something else that's interesting. If I do this: > >> >> passwd: files [!NOTFOUND=return] ldap > >> >> shadow: files [!NOTFOUND=return] ldap > >> >> group: ldap [NOTFOUND=continue] files > >> >> > >> >> and reboot, udev segfaults and the system freezes up after a few > >> >> more seconds. > >> >> Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault > >> >> "$@" $ARGS > >> >> /sbin/start_udev: line 201: 523 Segmentation fault /sbin/udevd -d > >> >> Wait timeout. Will continue in the background.[FAILED] > >> >> > >> >> Any advice? > >> > ---- > >> > Try putting this at the bottom of /etc/ldap.conf > >> > > >> > timelimit 30 > >> > bind_timelimit 30 > >> > bind_policy soft > >> > nss_initgroups_ignoreusers root,ldap > >> > > >> > I wouldn't recommend the changes that you have in nsswitch.conf > >> > >> Unfortunately, that doesn't work either. > >> I made the changes, shut down the machine and started it without > >> networking, and here's what happens: > >> > >> login: root > >> Password: > >> > >> login: > >> > >> login pukes and init starts it again. > > ---- > > you shouldn't need to restart but if you can't login as root, you > > probably still have something messed up in /etc/nsswitch.conf or may > > have messed up /etc/passwd | /etc/shadow > > > > can you login as a user and su - to root? > > > > if not, it probably would be best to boot to runlevel 1 and > > edit /etc/nsswitch.conf so it has this... > > > > passwd: files ldap > > shadow: files ldap > > group: files ldap > > > > and remove the NOTFOUND entries > > Yes, done. > Without networking, still the login failure trouble. > > With networking, no trouble at all, but with those timeouts of 30 > seconds and without those changes to nsswitch.conf, it takes a while > for the first root login to succeed even though it is using local auth. ---- do you have this line in /etc/pam.d/system-auth account sufficient pam_localuser.so ??? What does your /etc/pam.d/system-auth look like? Craig