[Arthur de Jong] > I have not tested such a setup before but from what I can see from my > tests is that it may be very inefficient with the current version of > nss-ldapd. It is better to use: > passwd: files ldap > group: files ldap > shadow: files ldap > (you also don't need the + at the end of the files in /etc any more)
This is not a useful configuration for me, as I want to limit the visible users and groups by netgroups. So in a production system I do not put + at the end of the files in /etc/, I put [EMAIL PROTECTED] there to control which users and groups are visible. > All this can be worked around by in nss-ldapd and I've put it on the > TODO list but I must say that it's not a very high priority right > now because there is a better way to configure NSS. It would be great if it could get higher on the priority list. :) > This does a number of lookups but nothing really interesting (except > for the too many queries started as mentioned above). Could you also > provide some output from sshd? Not quite sure what you are asking for? The output from sshd -dD? Here it is: debug1: sshd version OpenSSH_4.3p2 Debian-9 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-dD' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from 84.215.24.239 port 41193 debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-9 debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9 debug1: permanently_set_uid: 100/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 [EMAIL PROTECTED] debug1: kex: server->client aes128-cbc hmac-md5 [EMAIL PROTECTED] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user pere service ssh-connection method none debug1: attempt 0 failures 0 Failed none for pere from 84.215.24.239 port 41193 ssh2 debug1: PAM: initializing for "pere" debug1: userauth-request for user pere service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: PAM: setting PAM_RHOST to "cm-84.215.24.239.getinternet.no" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 1004/1004 (e=0/0) debug1: do_cleanup Segmentation fault gdb did not give a useful backtrace: (gdb) bt #0 0xb7ac6e8c in ?? () #1 0x080ad310 in ?? () #2 0xbfd3d31c in ?? () #3 0x00000004 in ?? () #4 0x00000000 in ?? () (gdb) This is the content of sshd.log from running "valgrind --log-file-exactly=sshd.log /usr/sbin/sshd -dD": ==5033== Memcheck, a memory error detector. ==5033== Copyright (C) 2002-2006, and GNU GPL'd, by Julian Seward et al. ==5033== Using LibVEX rev 1658, a library for dynamic binary translation. ==5033== Copyright (C) 2004-2006, and GNU GPL'd, by OpenWorks LLP. ==5033== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation framework. ==5033== Copyright (C) 2000-2006, and GNU GPL'd, by Julian Seward et al. ==5033== For more details, rerun with: -v ==5033== ==5033== My PID = 5033, parent PID = 4487. Prog and args are: ==5033== /usr/sbin/sshd ==5033== -dD ==5033== ==5033== Warning: invalid file descriptor 1014 in syscall close() ==5033== Warning: invalid file descriptor 1015 in syscall close() ==5033== Warning: invalid file descriptor 1016 in syscall close() ==5033== Use --log-fd=<number> to select an alternative log fd. ==5033== Warning: invalid file descriptor 1017 in syscall close() ==5033== Warning: invalid file descriptor 1018 in syscall close() ==5033== Invalid read of size 4 ==5033== at 0x4010DE9: (within /lib/ld-2.3.6.so) ==5033== by 0x4004B78: (within /lib/ld-2.3.6.so) ==5033== by 0x4006792: (within /lib/ld-2.3.6.so) ==5033== by 0x43C352F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EF6F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43A0C65: __nss_passwd_lookup (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== Address 0x444AC0C is 36 bytes inside a block of size 38 alloc'd ==5033== at 0x401D38B: malloc (vg_replace_malloc.c:149) ==5033== by 0x4006B83: (within /lib/ld-2.3.6.so) ==5033== by 0x43C352F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EF6F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43A0C65: __nss_passwd_lookup (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x434DAB3: getpwnam_r (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== ==5033== Conditional jump or move depends on uninitialised value(s) ==5033== at 0x4008ED5: (within /lib/ld-2.3.6.so) ==5033== by 0x43C3984: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EF6F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43A0C65: __nss_passwd_lookup (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x434DAB3: getpwnam_r (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x434D449: getpwnam (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== ==5033== Conditional jump or move depends on uninitialised value(s) ==5033== at 0x4008B2E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C3984: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EF6F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43A0C65: __nss_passwd_lookup (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x434DAB3: getpwnam_r (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x434D449: getpwnam (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== ==5033== Invalid read of size 4 ==5033== at 0x4010E00: (within /lib/ld-2.3.6.so) ==5033== by 0x4004B78: (within /lib/ld-2.3.6.so) ==5033== by 0x4006792: (within /lib/ld-2.3.6.so) ==5033== by 0x43C352F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x4539169: (within /lib/tls/i686/cmov/libnss_compat-2.3.6.so) ==5033== by 0x453A664: _nss_compat_getpwnam_r (in /lib/tls/i686/cmov/libnss_compat-2.3.6.so) ==5033== Address 0x444B120 is 24 bytes inside a block of size 26 alloc'd ==5033== at 0x401D38B: malloc (vg_replace_malloc.c:149) ==5033== by 0x4006B83: (within /lib/ld-2.3.6.so) ==5033== by 0x43C352F: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C2F9E: _dl_open (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x43C57BC: (within /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x400B44E: (within /lib/ld-2.3.6.so) ==5033== by 0x43C581D: __libc_dlopen_mode (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x439EE73: __nss_lookup_function (in /lib/tls/i686/cmov/libc-2.3.6.so) ==5033== by 0x4539169: (within /lib/tls/i686/cmov/libnss_compat-2.3.6.so) ==5033== by 0x453A664: _nss_compat_getpwnam_r (in /lib/tls/i686/cmov/libnss_compat-2.3.6.so) ==5033== by 0x434D9D7: getpwnam_r (in /lib/tls/i686/cmov/libc-2.3.6.so) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
