On Wed, 2008-08-27 at 17:35 -0400, Mark Hennessy wrote: > Quoting Craig White <craigwhite at azapple.com>: > > > On Wed, 2008-08-27 at 17:07 -0400, Mark Hennessy wrote: > >> Quoting Craig White <craigwhite at azapple.com>: > >> > >> > On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote: > >> >> Quoting Craig White <craigwhite at azapple.com>: > >> >> > >> >> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote: > >> >> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing > >> >> >> this problem. > >> >> >> > >> >> >> Hello, I'm seeing a weird problem that perhaps someone has run into > >> >> >> with groups. > >> >> >> > >> >> >> First, a little background. > >> >> >> I was made aware of a problem with CentOS 5 where if the nscd password > >> >> >> cache is clear and > >> >> >> someone tries to log in if there is no network connection with an LDAP > >> >> >> account that it > >> >> >> just hangs. Even worse, if the machine is rebooted and it continues > >> >> >> to have no network > >> >> >> connection, even root login doesn't work. I messed around with > >> >> >> nsswitch.conf to fix this > >> >> >> problem. > >> >> >> > >> >> >> I altered these lines as so: > >> >> >> passwd: files [!NOTFOUND=return] ldap > >> >> >> shadow: files [!NOTFOUND=return] ldap > >> >> >> group: files [!NOTFOUND=return] ldap > >> >> >> > >> >> >> and the problem seemed to go away. > >> >> >> > >> >> >> But now, here's the weird stuff: > >> >> >> I have defined in my local /etc/groups file this line: > >> >> >> group1:x:100:apache > >> >> >> group2:x:101:apache > >> >> >> > >> >> >> 'getent group groupname' shows the right info: > >> >> >> # getent group group1 > >> >> >> group1:x:100:apache > >> >> >> > >> >> >> # sudo -u apache bash > >> >> >> $ groups > >> >> >> apache > >> >> >> > >> >> >> I revert back to my old config: > >> >> >> # sudo -u apache bash > >> >> >> $ groups > >> >> >> apache group1 group2 > >> >> >> > >> >> >> Also, something else that's interesting. If I do this: > >> >> >> passwd: files [!NOTFOUND=return] ldap > >> >> >> shadow: files [!NOTFOUND=return] ldap > >> >> >> group: ldap [NOTFOUND=continue] files > >> >> >> > >> >> >> and reboot, udev segfaults and the system freezes up after a few > >> >> >> more seconds. > >> >> >> Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault > >> >> >> "$@" $ARGS > >> >> >> /sbin/start_udev: line 201: 523 Segmentation fault > >> /sbin/udevd -d > >> >> >> Wait timeout. Will continue in the background.[FAILED] > >> >> >> > >> >> >> Any advice? > >> >> > ---- > >> >> > Try putting this at the bottom of /etc/ldap.conf > >> >> > > >> >> > timelimit 30 > >> >> > bind_timelimit 30 > >> >> > bind_policy soft > >> >> > nss_initgroups_ignoreusers root,ldap > >> >> > > >> >> > I wouldn't recommend the changes that you have in nsswitch.conf > >> >> > >> >> Unfortunately, that doesn't work either. > >> >> I made the changes, shut down the machine and started it without > >> >> networking, and here's what happens: > >> >> > >> >> login: root > >> >> Password: > >> >> > >> >> login: > >> >> > >> >> login pukes and init starts it again. > >> > ---- > >> > you shouldn't need to restart but if you can't login as root, you > >> > probably still have something messed up in /etc/nsswitch.conf or may > >> > have messed up /etc/passwd | /etc/shadow > >> > > >> > can you login as a user and su - to root? > >> > > >> > if not, it probably would be best to boot to runlevel 1 and > >> > edit /etc/nsswitch.conf so it has this... > >> > > >> > passwd: files ldap > >> > shadow: files ldap > >> > group: files ldap > >> > > >> > and remove the NOTFOUND entries > >> > >> Yes, done. > >> Without networking, still the login failure trouble. > >> > >> With networking, no trouble at all, but with those timeouts of 30 > >> seconds and without those changes to nsswitch.conf, it takes a while > >> for the first root login to succeed even though it is using local auth. > > ---- > > do you have this line in /etc/pam.d/system-auth > > > > account sufficient pam_localuser.so > > > > ??? > > > > What does your /etc/pam.d/system-auth look like? > my /etc/pam.d/system-auth: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass debug > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok debug > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so debug > session required pam_mkhomedir.so skel=/etc/skel umask=0022 > > > === > I added > > account sufficient pam_localuser.so > > right before pam_ldap in the account section and tried again with the > same procedure (turn off networking (chkconfig --levels 2345 network > off), reboot). > > Same result, login dies and gets restarted. > > login: root > Password: > > login: ---- well, it hardly makes any sense to use ldap for user accounts and start up with networking off but I would recommend that you adhere to the advice at the top of the file and run 'authconfig' or 'system-config-authentication', make sure the settings are correct (including checking the box for local authentication is sufficient) so that it configures not only /etc/pam.d/system-auth and nsswitch.conf Craig