[CentOS] nsswitch.conf, ldap, local groups problem

Wed Aug 27 18:53:04 UTC 2008
Mark Hennessy <mark at hennessy.cx>

Quoting Craig White <craigwhite at azapple.com>:

> On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
>> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
>> this problem.
>>
>> Hello, I'm seeing a weird problem that perhaps someone has run into
>> with groups.
>>
>> First, a little background.
>> I was made aware of a problem with CentOS 5 where if the nscd password
>> cache is clear and
>> someone tries to log in if there is no network connection with an LDAP
>> account that it
>> just hangs.  Even worse, if the machine is rebooted and it continues
>> to have no network
>> connection, even root login doesn't work.  I messed around with
>> nsswitch.conf to fix this
>> problem.
>>
>> I altered these lines as so:
>> passwd:     files [!NOTFOUND=return] ldap
>> shadow:     files [!NOTFOUND=return] ldap
>> group:      files [!NOTFOUND=return] ldap
>>
>> and the problem seemed to go away.
>>
>> But now, here's the weird stuff:
>> I have defined in my local /etc/groups file this line:
>> group1:x:100:apache
>> group2:x:101:apache
>>
>> 'getent group groupname' shows the right info:
>> # getent group group1
>> group1:x:100:apache
>>
>> # sudo -u apache bash
>> $ groups
>> apache
>>
>> I revert back to my old config:
>> # sudo -u apache bash
>> $ groups
>> apache group1 group2
>>
>> Also, something else that's interesting. If I do this:
>> passwd:     files [!NOTFOUND=return] ldap
>> shadow:     files [!NOTFOUND=return] ldap
>> group:      ldap [NOTFOUND=continue] files
>>
>> and reboot, udev segfaults and the system freezes up after a few   
>> more seconds.
>> Starting udev: /sbin/start_udev: line 43:   519 Segmentation fault
>>   "$@" $ARGS
>> /sbin/start_udev: line 201:   523 Segmentation fault      /sbin/udevd -d
>> Wait timeout. Will continue in the background.[FAILED]
>>
>> Any advice?
> ----
> Try putting this at the bottom of /etc/ldap.conf
>
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> nss_initgroups_ignoreusers root,ldap
>
> I wouldn't recommend the changes that you have in nsswitch.conf

Unfortunately, that doesn't work either.
I made the changes, shut down the machine and started it without  
networking, and here's what happens:

login: root
Password:

login:

login pukes and init starts it again.

> Craig