[CentOS] nsswitch.conf, ldap, local groups problem

Wed Aug 27 21:35:56 UTC 2008
Mark Hennessy <mark at hennessy.cx>

Quoting Craig White <craigwhite at azapple.com>:

> On Wed, 2008-08-27 at 17:07 -0400, Mark Hennessy wrote:
>> Quoting Craig White <craigwhite at azapple.com>:
>>
>> > On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
>> >> Quoting Craig White <craigwhite at azapple.com>:
>> >>
>> >> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
>> >> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
>> >> >> this problem.
>> >> >>
>> >> >> Hello, I'm seeing a weird problem that perhaps someone has run into
>> >> >> with groups.
>> >> >>
>> >> >> First, a little background.
>> >> >> I was made aware of a problem with CentOS 5 where if the nscd password
>> >> >> cache is clear and
>> >> >> someone tries to log in if there is no network connection with an LDAP
>> >> >> account that it
>> >> >> just hangs.  Even worse, if the machine is rebooted and it continues
>> >> >> to have no network
>> >> >> connection, even root login doesn't work.  I messed around with
>> >> >> nsswitch.conf to fix this
>> >> >> problem.
>> >> >>
>> >> >> I altered these lines as so:
>> >> >> passwd:     files [!NOTFOUND=return] ldap
>> >> >> shadow:     files [!NOTFOUND=return] ldap
>> >> >> group:      files [!NOTFOUND=return] ldap
>> >> >>
>> >> >> and the problem seemed to go away.
>> >> >>
>> >> >> But now, here's the weird stuff:
>> >> >> I have defined in my local /etc/groups file this line:
>> >> >> group1:x:100:apache
>> >> >> group2:x:101:apache
>> >> >>
>> >> >> 'getent group groupname' shows the right info:
>> >> >> # getent group group1
>> >> >> group1:x:100:apache
>> >> >>
>> >> >> # sudo -u apache bash
>> >> >> $ groups
>> >> >> apache
>> >> >>
>> >> >> I revert back to my old config:
>> >> >> # sudo -u apache bash
>> >> >> $ groups
>> >> >> apache group1 group2
>> >> >>
>> >> >> Also, something else that's interesting. If I do this:
>> >> >> passwd:     files [!NOTFOUND=return] ldap
>> >> >> shadow:     files [!NOTFOUND=return] ldap
>> >> >> group:      ldap [NOTFOUND=continue] files
>> >> >>
>> >> >> and reboot, udev segfaults and the system freezes up after a few
>> >> >> more seconds.
>> >> >> Starting udev: /sbin/start_udev: line 43:   519 Segmentation fault
>> >> >>   "$@" $ARGS
>> >> >> /sbin/start_udev: line 201:   523 Segmentation fault        
>> /sbin/udevd -d
>> >> >> Wait timeout. Will continue in the background.[FAILED]
>> >> >>
>> >> >> Any advice?
>> >> > ----
>> >> > Try putting this at the bottom of /etc/ldap.conf
>> >> >
>> >> > timelimit 30
>> >> > bind_timelimit 30
>> >> > bind_policy soft
>> >> > nss_initgroups_ignoreusers root,ldap
>> >> >
>> >> > I wouldn't recommend the changes that you have in nsswitch.conf
>> >>
>> >> Unfortunately, that doesn't work either.
>> >> I made the changes, shut down the machine and started it without
>> >> networking, and here's what happens:
>> >>
>> >> login: root
>> >> Password:
>> >>
>> >> login:
>> >>
>> >> login pukes and init starts it again.
>> > ----
>> > you shouldn't need to restart but if you can't login as root, you
>> > probably still have something messed up in /etc/nsswitch.conf or may
>> > have messed up /etc/passwd | /etc/shadow
>> >
>> > can you login as a user and su - to root?
>> >
>> > if not, it probably would be best to boot to runlevel 1 and
>> > edit /etc/nsswitch.conf so it has this...
>> >
>> > passwd:     files ldap
>> > shadow:     files ldap
>> > group:      files ldap
>> >
>> > and remove the NOTFOUND entries
>>
>> Yes, done.
>> Without networking, still the login failure trouble.
>>
>> With networking, no trouble at all, but with those timeouts of 30
>> seconds and without those changes to nsswitch.conf, it takes a while
>> for the first root login to succeed even though it is using local auth.
> ----
> do you have this line in /etc/pam.d/system-auth
>
> account     sufficient    pam_localuser.so
>
> ???
>
> What does your /etc/pam.d/system-auth look like?
my /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass debug
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass  
use_authtok
password    sufficient    pam_ldap.so use_authtok debug
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in  
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so debug
session     required      pam_mkhomedir.so skel=/etc/skel umask=0022


===
I added

account     sufficient    pam_localuser.so

right before pam_ldap in the account section and tried again with the  
same procedure (turn off networking (chkconfig --levels 2345 network  
off), reboot).

Same result, login dies and gets restarted.

login: root
Password:

login:

> Craig
>