[CentOS] nsswitch.conf, ldap, local groups problem

Wed Aug 27 17:21:23 UTC 2008
Craig White <craigwhite at azapple.com>

On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing  
> this problem.
> 
> Hello, I'm seeing a weird problem that perhaps someone has run into  
> with groups.
> 
> First, a little background.
> I was made aware of a problem with CentOS 5 where if the nscd password  
> cache is clear and
> someone tries to log in if there is no network connection with an LDAP  
> account that it
> just hangs.  Even worse, if the machine is rebooted and it continues  
> to have no network
> connection, even root login doesn't work.  I messed around with  
> nsswitch.conf to fix this
> problem.
> 
> I altered these lines as so:
> passwd:     files [!NOTFOUND=return] ldap
> shadow:     files [!NOTFOUND=return] ldap
> group:      files [!NOTFOUND=return] ldap
> 
> and the problem seemed to go away.
> 
> But now, here's the weird stuff:
> I have defined in my local /etc/groups file this line:
> group1:x:100:apache
> group2:x:101:apache
> 
> 'getent group groupname' shows the right info:
> # getent group group1
> group1:x:100:apache
> 
> # sudo -u apache bash
> $ groups
> apache
> 
> I revert back to my old config:
> # sudo -u apache bash
> $ groups
> apache group1 group2
> 
> Also, something else that's interesting. If I do this:
> passwd:     files [!NOTFOUND=return] ldap
> shadow:     files [!NOTFOUND=return] ldap
> group:      ldap [NOTFOUND=continue] files
> 
> and reboot, udev segfaults and the system freezes up after a few more seconds.
> Starting udev: /sbin/start_udev: line 43:   519 Segmentation fault      
>   "$@" $ARGS
> /sbin/start_udev: line 201:   523 Segmentation fault      /sbin/udevd -d
> Wait timeout. Will continue in the background.[FAILED]
> 
> Any advice?
----
Try putting this at the bottom of /etc/ldap.conf

timelimit 30
bind_timelimit 30
bind_policy soft
nss_initgroups_ignoreusers root,ldap

I wouldn't recommend the changes that you have in nsswitch.conf

Craig