Weird. The machine bgmilne, is it set to query it's own ldap database?Another nice LDAP related buglet. On a cooker machine that's running
slapd (openldap-servers) the sshd won't work properly.
It's easy to reproduce (I've done it on 2 machines):
[root@taz root]# service ldap start
ldaps
Starting slapd (ldap + ldaps): [ OK ]
[root@taz root]# ssh stefan@localhost
stefan@localhost's password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.
[root@taz root]# service ldap stop
Stopping slapd: /etc/init.d/ldap: line 243: kill: (15609) - No such process
/etc/init.d/ldap: line 243: kill: (15608) - No such process
/etc/init.d/ldap: line 243: kill: (15602) - No such process
[ OK ]
[root@taz root]# ssh stefan@localhost
stefan@localhost's password:
Last login: Thu Jan 23 21:44:58 2003 from localhost.localdomain
[stefan@taz stefan]$ exit
Connection to localhost closed.
[root@taz root]# service ldap start
ldaps
Starting slapd (ldap + ldaps): [ OK ]
[root@taz root]# ssh stefan@localhost
stefan@localhost's password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.
[root@taz root]#
Works for me: [bgmilne@mail bgmilne]$ ssh bgmilne bgmilne@bgmilne's password: Last login: Thu Jan 23 23:07:27 2003 from mail.cae.co.za -bash: TMOUT: readonly variable [bgmilne@bgmilne bgmilne]$ ps ax|grep [s]lapd 1323 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// 1327 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// 1334 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// 1426 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// 1427 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// 2918 ? S 0:00 /usr/sbin/slapd -u ldap -g ldap -l LOCAL0 -s 0 -h ldap:/// ldaps:/// [bgmilne@bgmilne bgmilne]$ ssh localhost Last login: Thu Jan 23 23:07:42 2003 from mail.cae.co.za -bash: TMOUT: readonly variable [bgmilne@bgmilne bgmilne]$
[root@taz root]# ssh root@alpha
root@alpha's password:
Last login: Thu Jan 23 22:52:28 2003 from taz.eijk.nu
Connection to alpha closed.
[root@taz root]# service ldap stop
Stopping slapd: /etc/init.d/ldap: line 243: kill: (17180) - No such process
/etc/init.d/ldap: line 243: kill: (17179) - No such process
/etc/init.d/ldap: line 243: kill: (17176) - No such process
ssh alp [ OK ]
[root@taz root]# ssh alpha
root@alpha's password:
Last login: Thu Jan 23 23:00:04 2003 from taz.eijk.nu
[root@localhost root]# uname -a
Linux localhost.localdomain 2.4.19-1mdk #1 Sat Aug 10 00:21:43 EDT 2002 alpha unknown unknown GNU/Linux
[root@taz root]# service ldap start
ldaps
Starting slapd (ldap + ldaps): [ OK ]
[root@taz root]# ssh alpha
root@alpha's password:
Last login: Thu Jan 23 23:00:33 2003 from taz.eijk.nu
Connection to alpha closed.
[root@taz root]#
(but I think my slave has died, auth works by referral to the master at present ...) Are you sure it's not an issue of conflicting entries in ldap and local?
Good one. I've got users both in local and ldap on machine "taz".
Maybe user 'sshd' exists in ldap with the wrong uid, that would probably do it due to privsep, sshd server still runs as root, but privsep dies ?
The ssh user is only in the local machine, not in ldap.
Did it on a stand alone laptop (with ssh & ldap server on it) too, same results.Where shall I file the bug, openldap-servers package or openssh-server?
Reproduce on a different network first ...
I only have real users in ldap, no system users, etc. If you like, the ldap dir is available: ldap://eijk.homelinux.org/(BTW, it's not a good idea to have ldap user in ldap when you install openldap-servers onto a box ... stop ldap and you won't be able to start it again ;-)
They do:Also, a good way to check is to test both: $ getent passwd sshd $ getent passwd|grep ^sshd and hope they give the same answer ...
[root@taz root]# getent passwd sshd
sshd:x:94:94::/home/sshd:/bin/true
[root@taz root]# getent passwd|grep ^sshd
sshd:x:94:94::/home/sshd:/bin/true
I'm starting to see more & more shit come up with using ldap... mysql doesn't start, now this stuff with ssh, what's next?
Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
