[CentOS] nsswitch.conf, ldap, local groups problem

Wed Aug 27 19:03:54 UTC 2008
Craig White <craigwhite at azapple.com>

On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
> Quoting Craig White <craigwhite at azapple.com>:
> 
> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
> >> this problem.
> >>
> >> Hello, I'm seeing a weird problem that perhaps someone has run into
> >> with groups.
> >>
> >> First, a little background.
> >> I was made aware of a problem with CentOS 5 where if the nscd password
> >> cache is clear and
> >> someone tries to log in if there is no network connection with an LDAP
> >> account that it
> >> just hangs.  Even worse, if the machine is rebooted and it continues
> >> to have no network
> >> connection, even root login doesn't work.  I messed around with
> >> nsswitch.conf to fix this
> >> problem.
> >>
> >> I altered these lines as so:
> >> passwd:     files [!NOTFOUND=return] ldap
> >> shadow:     files [!NOTFOUND=return] ldap
> >> group:      files [!NOTFOUND=return] ldap
> >>
> >> and the problem seemed to go away.
> >>
> >> But now, here's the weird stuff:
> >> I have defined in my local /etc/groups file this line:
> >> group1:x:100:apache
> >> group2:x:101:apache
> >>
> >> 'getent group groupname' shows the right info:
> >> # getent group group1
> >> group1:x:100:apache
> >>
> >> # sudo -u apache bash
> >> $ groups
> >> apache
> >>
> >> I revert back to my old config:
> >> # sudo -u apache bash
> >> $ groups
> >> apache group1 group2
> >>
> >> Also, something else that's interesting. If I do this:
> >> passwd:     files [!NOTFOUND=return] ldap
> >> shadow:     files [!NOTFOUND=return] ldap
> >> group:      ldap [NOTFOUND=continue] files
> >>
> >> and reboot, udev segfaults and the system freezes up after a few   
> >> more seconds.
> >> Starting udev: /sbin/start_udev: line 43:   519 Segmentation fault
> >>   "$@" $ARGS
> >> /sbin/start_udev: line 201:   523 Segmentation fault      /sbin/udevd -d
> >> Wait timeout. Will continue in the background.[FAILED]
> >>
> >> Any advice?
> > ----
> > Try putting this at the bottom of /etc/ldap.conf
> >
> > timelimit 30
> > bind_timelimit 30
> > bind_policy soft
> > nss_initgroups_ignoreusers root,ldap
> >
> > I wouldn't recommend the changes that you have in nsswitch.conf
> 
> Unfortunately, that doesn't work either.
> I made the changes, shut down the machine and started it without  
> networking, and here's what happens:
> 
> login: root
> Password:
> 
> login:
> 
> login pukes and init starts it again.
----
you shouldn't need to restart but if you can't login as root, you
probably still have something messed up in /etc/nsswitch.conf or may
have messed up /etc/passwd | /etc/shadow

can you login as a user and su - to root?

if not, it probably would be best to boot to runlevel 1 and
edit /etc/nsswitch.conf so it has this...

passwd:     files ldap
shadow:     files ldap
group:      files ldap

and remove the NOTFOUND entries

Craig