Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
severity 510678 normal thanks Hi, the problem is a dead-lock in your setup. This is not a problem of libnss-ldap. If this is a regression with the version in etch, please open a bug against release notes. Greetings Martin -- Martin Zobel-Helas zo...@debian.org | Debian System Administrator Debian GNU/Linux Developer | Debian Listmaster Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870 GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870 signature.asc Description: Digital signature
Processed: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
Processing commands for cont...@bugs.debian.org: severity 510678 normal Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang Severity set to `normal' from `critical' thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
Neil Williams wrote: I'm confused. /etc/nsswitch.conf is created by base-files - the base-files postinst merely copies /usr/share/base-files/nsswitch.conf to /etc/ and the contents of that file on this system match the working example you've given in the bug report. libnss-ldap creates /etc/libnss-ldap.conf in the postinst. Installing libnss-ldap in a clean Sid chroot does not change /etc/nsswitch.conf. [...] I don't think this is the problem. As I understand the report, the problem is that LDAP authentication is not working at initial login. My guess is that there is no network connection at this point. Are you using Network Manager to manage the network connection to the LDAP server? This probably will not work because Network Manager does not set up the network connection until after a user has logged in (and has the right privileges, and runs a Network Manager control applet). Ben. -- Ben Hutchings [W]e found...that it wasn't as easy to get programs right as we had thought. ... I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. - Maurice Wilkes, 1949 signature.asc Description: This is a digitally signed message part
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
Here is the config from /usr/share/base-files/nsswitch.conf. On my Machine run at this moment no ldap authentication. # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc Name Service Switch' for information about this file. passwd: compat group: compat shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis And configured /etc/libnss-ldap.conf for LDAP authentication. My problem is an LDAP authentication, therefore I must change the file /etc/nsswitch.conf as usual for LDAP authentication. On my 1.st post, I just copied the changed section. Here is libnss-ldap.conf without commented stuffs base dc=skpcc,dc=org uri ldaps://hera.skpcc.org:636/ ldap_version 3 rootbinddn cn=admin,dc=skpcc,dc=org timelimit 5 bind_timelimit 5 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_min_uid 1 pam_password exop nss_base_passwd ou=Users,dc=skpcc,dc=org?one nss_base_passwd ou=Computers,dc=skpcc,dc=org?one nss_base_shadow ou=Users,dc=skpcc,dc=org?one nss_base_group ou=Groups,dc=skpcc,dc=org?one ssl on tls_checkpeer yes tls_cacertfile /etc/ldap/cacerts/ca.cert tls_cert /etc/ldap/cacerts/client.cert tls_key /etc/ldap/cacerts/client.key And yes NetworkManager is installed on Clients. On Debian Etch, my Debian can booting til ends and the client can log in to the system with LDAP account. The whole configuration is the same between etch and lenny. I've found the same bug on ubuntu but I couldn't find the link now. The bug exists on 2006 or 2007. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
Package: libnss-ldap Version: 261-2.1 Severity: critical Justification: breaks the whole system The ldap entry on nsswitch.conf for ldap authentication like: passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging. If I remove the ldap entry on nsswitch.conf, the system works normally. For example: passwd: compat group: compat shadow: compat The chance to work with ldap authentication is just inserting ldap entry after the whole system loaded. -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing'), (10, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-ares-em64t (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldap depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-16 GNU C Library: Shared libraries ii libcomerr21.41.3-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libsasl2-22.1.22.dfsg1-23Cyrus SASL - authentication abstra Versions of packages libnss-ldap recommends: ii libpam-ldap 184-4.2Pluggable Authentication Module fo ii nscd 2.7-16 GNU C Library: Name Service Cache libnss-ldap suggests no packages. -- debconf information: libnss-ldap/bindpw: (password omitted) * libnss-ldap/rootbindpw: (password omitted) libnss-ldap/dblogin: false libnss-ldap/override: true * shared/ldapns/base-dn: dc=skpcc,dc=org * shared/ldapns/ldap-server: ldaps://hera.skpcc.org:636/ libnss-ldap/confperm: false * libnss-ldap/rootbinddn: cn=admin,dc=skpcc,dc=org * shared/ldapns/ldap_version: 3 libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net * libnss-ldap/nsswitch: libnss-ldap/dbrootlogin: true -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
On Sun, 4 Jan 2009, root wrote: Package: libnss-ldap Version: 261-2.1 Severity: critical Justification: breaks the whole system You very likely are simply misconfigured, but I'll not yet drop the severity to a more apropriate value. The ldap entry on nsswitch.conf for ldap authentication like: passwd: compat ldap Why compat ... if you aren't using NIS/NIS+, that should be 'files ldap' group: compat ldap shadow: compat ldap cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging. There should be informatitve messages in /var/log/auth.log, and possibly /var/log/syslog... I can't be of much use without seeing some of them. If I remove the ldap entry on nsswitch.conf, the system works normally. 1) boot up without LDAP auth 2) add ldap to nsswitch.conf 3) getent passwd some valid user in ldap 4) tweak /etc/libnss-ldap.conf until 3 works Once that all is working, the next cause of hang is based upon installed package set - and their daemon user entries in /etc/passwd. You will need to add and tweak the following line in libnss-ldap.conf: nss_initgroups_ignoreusers root,openldap, IE: if gdm hangs, and there is a system userid for the gdm daemon, add its name to the ignoreusers line. Why isn't the line already there and correct ? It would require going through the entire archive and scanning init.d files for anything that might possibly start before nscd (if installed), or the local slapd daemon (if installed) and adding those daemon users to the line... That is necessary, but not sufficient in that the sysadmin may change start order :( I'd actually recommend you do what I have done - install libnss-ldapd instead. -- Rick Nelson Intel engineering seem to have misheard Intel marketing strategy. The phrase was Divide and conquer not Divide and cock up (By iia...@www.linux.org.uk, Alan Cox) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
You very likely are simply misconfigured, but I'll not yet drop the severity to a more apropriate value. The ldap entry on nsswitch.conf for ldap authentication like: passwd: compat ldap Why compat ... if you aren't using NIS/NIS+, that should be 'files ldap' group: compat ldap shadow: compat ldap cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging. OK thank you for the Info! There should be informatitve messages in /var/log/auth.log, and possibly /var/log/syslog... I can't be of much use without seeing some of them. syslog Jan 4 20:37:59 ares NetworkManager: info wlan0: Device is fully-supported using driver 'iwl3945'. Jan 4 20:37:59 ares NetworkManager: info wlan0: driver supports SSID scans (scan_capa 0x01). Jan 4 20:37:59 ares NetworkManager: info nm_device_init(): waiting for device's worker thread to start Jan 4 20:37:59 ares NetworkManager: info nm_device_init(): device's worker thread started, continuing. Jan 4 20:37:59 ares NetworkManager: info Now managing wireless (802.11) device 'wlan0'. Jan 4 20:37:59 ares NetworkManager: info Deactivating device wlan0. Jan 4 20:37:59 ares NetworkManager: info eth0: Device is fully-supported using driver 'tg3'. Jan 4 20:37:59 ares NetworkManager: info nm_device_init(): waiting for device's worker thread to start Jan 4 20:37:59 ares NetworkManager: info nm_device_init(): device's worker thread started, continuing. Jan 4 20:37:59 ares NetworkManager: info Now managing wired Ethernet (802.3) device 'eth0'. Jan 4 20:37:59 ares NetworkManager: info Deactivating device eth0. Jan 4 20:37:59 ares avahi-daemon[3299]: Withdrawing address record for 10.19.8.182 on eth0. Jan 4 20:37:59 ares avahi-daemon[3299]: Leaving mDNS multicast group on interface eth0.IPv4 with address 10.19.8.182. Jan 4 20:37:59 ares avahi-daemon[3299]: Interface eth0.IPv4 no longer relevant for mDNS. Jan 4 20:37:59 ares NetworkManager: info Will activate wired connection 'eth0' because it now has a link. Jan 4 20:37:59 ares NetworkManager: info SWITCH: no current connection, found better connection 'eth0'. Jan 4 20:37:59 ares dhcdbd: message_handler: message handler not found under /com/redhat/dhcp/eth0 for sub-path eth0.dbus.get.reason Jan 4 20:37:59 ares NetworkManager: info Will activate connection 'eth0'. Jan 4 20:37:59 ares NetworkManager: info Device eth0 activation scheduled... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) started... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 1 of 5 (Device Prepare) started... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 2 of 5 (Device Configure) scheduled... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 1 of 5 (Device Prepare) complete. Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 2 of 5 (Device Configure) starting... Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 2 of 5 (Device Configure) successful. Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 3 of 5 (IP Configure Start) scheduled. Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 2 of 5 (Device Configure) complete. Jan 4 20:37:59 ares NetworkManager: info Activation (eth0) Stage 3 of 5 (IP Configure Start) started... Jan 4 20:38:00 ares NetworkManager: info Activation (eth0) Beginning DHCP transaction. Jan 4 20:38:00 ares anacron[3466]: Anacron 2.3 started on 2009-01-04 Jan 4 20:38:01 ares anacron[3466]: Normal exit (0 jobs run) Jan 4 20:38:01 ares acpid: client connected from 3450[0:0] Jan 4 20:38:01 ares /usr/sbin/cron[3496]: (CRON) INFO (pidfile fd = 3) Jan 4 20:38:01 ares /usr/sbin/cron[3497]: (CRON) STARTUP (fork ok) Jan 4 20:38:01 ares /usr/sbin/cron[3497]: (CRON) INFO (Running @reboot jobs) Jan 4 20:38:04 ares kernel: [ 34.572265] [drm] Initialized drm 1.1.0 20060810 Jan 4 20:38:04 ares kernel: [ 34.586845] pci :00:02.0: PCI INT A - GSI 16 (level, low) - IRQ 16 Jan 4 20:38:04 ares kernel: [ 34.586854] pci :00:02.0: setting latency timer to 64 Jan 4 20:38:04 ares kernel: [ 34.587121] [drm] Initialized i915 1.6.0 20080730 on minor 0 Jan 4 20:38:04 ares NetworkManager: info Error getting killswitch power: org.freedesktop.DBus.Error.NoReply - Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. Jan 4 20:38:04 ares NetworkManager: info Wireless now enabled by radio
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
If I remove the Network Manager, then the system doesn't hang. I think the bug isn't on libnss-ldap or nsswitch, but on Network Manager on Lenny. I'm sorry Rick. P.S.: How can I hidden my mail addresse? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
On Sun, 4 Jan 2009, Daniel Haryo Sugondo wrote: There should be informatitve messages in /var/log/auth.log, and possibly /var/log/syslog... I can't be of much use without seeing some of them. syslog [snip] auth.log [snip] uhm, neither of the log snips appear to be related to your hangs :( As I written on my 1st post. I can log on with my LDAP Account if I change the nsswitch.conf after booting. So this all works. not necessarily (is pam-ldap also installed and in use ?) does `getent passwd` show all system and ldap users ? I've already insert it, but my system still hang after reboot. ??? -- Confused. # Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,avahi,haldaemon,gdm Looks like a good start, but since your auth.log/syslog fragments weren't from a hang - there's no way to see what is going on Why isn't the line already there and correct ? It would require going through the entire archive and scanning init.d files for anything that might possibly start before nscd (if installed), or the local slapd daemon (if installed) and adding those daemon users to the line... That is necessary, but not sufficient in that the sysadmin may change start order :( You may need to do part of this, or simply add all system users to the line I'd actually recommend you do what I have done - install libnss-ldapd instead. already installed, you can see it on auth.log. So you're up and running now ? -- Rick Nelson Endy taniwha: Quote material :) taniwha Endy: :) knghtbrd Endy: I already snipped it -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang
There should be informatitve messages in /var/log/auth.log, and possibly /var/log/syslog... I can't be of much use without seeing some of them. syslog [snip] auth.log [snip] uhm, neither of the log snips appear to be related to your hangs :( On my last messages I've remove the network manager and see, the system run without any hang. I think, the problem exist on network manager, not libnss-ldap. As I written on my 1st post. I can log on with my LDAP Account if I change the nsswitch.conf after booting. So this all works. not necessarily (is pam-ldap also installed and in use ?) does `getent passwd` show all system and ldap users ? I've already insert it, but my system still hang after reboot. ??? -- Confused. # Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,avahi,haldaemon,gdm Looks like a good start, but since your auth.log/syslog fragments weren't from a hang - there's no way to see what is going on If the system hang, then there is no log. :( Why isn't the line already there and correct ? It would require going through the entire archive and scanning init.d files for anything that might possibly start before nscd (if installed), or the local slapd daemon (if installed) and adding those daemon users to the line... That is necessary, but not sufficient in that the sysadmin may change start order :( You may need to do part of this, or simply add all system users to the line I'll try to add all system users to the line, thank's for your advise. I'd actually recommend you do what I have done - install libnss-ldapd instead. already installed, you can see it on auth.log. So you're up and running now ? Yes the system is up and running now, without network manager. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org