Public bug reported: Binary package hint: libnss-ldap
I'm having problems getting an ubuntu 6.06.1 LTS host authenticate against against itself through ldap. That is this host is the ldap server (slapd-2.2.26-5ubuntu2.2) and I am trying to get it to authenticate against itself. Debian testing clients are able to authenticate just fine against the ldap server. Using the same client configuration files on the ubuntu server I cannot get it to authenticate against itself though through login or ssh. I've tried this using TLS and without TLS so that shouldn't be the problem. The fact that other debian testing boxes can authenticate just fine leads me to point to an ubuntu issue. Since this is not specific to ssh (login fails too) and since the only relevant error messages are lib_nss this leads me to point the finger to libnss-ldap. Connection to itself is allowed and has been tested, no iptables rules defined. tcpdump does show communication on tcp ldaps during authentication. Using ldapsearch works just fine. While searching for bugs I found certain bugs reported on edgy: https://launchpad.net/distros/ubuntu/+source/libnss-ldap/+bug/70146 So I ported the patch referred to there to Dapper. At the end you will find the patch in case you find it useful. Anyway, that didn't do the trick. -- [EMAIL PROTECTED]:~/devel/libnss-ldap# ldapsearch -x -H ldaps://dhcp1a.winlab.rutgers.edu -D "uid=mcgrof,ou=People,dc=winlab,dc=rutgers,dc=edu" -W -LLL cn=mc* dn Enter LDAP Password: dn: cn=mcgrof,ou=auto.home,dc=winlab,dc=rutgers,dc=edu dn: cn=mcyberey,ou=auto.home,dc=winlab,dc=rutgers,dc=edu -- [EMAIL PROTECTED]:~/devel/libnss-ldap# netstat -tlp | grep ldap tcp 0 0 localhost:ldap *:* LISTEN 8298/slapd tcp 0 0 *:ldaps *:* LISTEN 8298/slapd tcp6 0 0 *:ldaps *:* LISTEN 8298/slapd /var/log/auth.log reports: pam_ldap: ldap_simple_bind Can't contact LDAP server If you try again you get: Dec 12 17:45:33 dhcp1a sshd[20330]: pam_ldap: ldap_simple_bind Can't contact LDAP server Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnecting to LDAP server... Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnected to LDAP server after 1 attempt(s) Dec 12 17:45:35 dhcp1a sshd[20326]: error: PAM: Authentication service cannot retrieve authentication info. for mcgrof from localhost -- /etc/ldap/ldap.conf BASE dc=winlab,dc=rutgers,dc=edu URI ldaps://dhcp1a.winlab.rutgers.edu TLS_CACERT /etc/ldap/CAcert.pem -- /etc/libnss-ldap.conf host dhcp1a.winlab.rutgers.edu base dc=winlab,dc=rutgers,dc=edu uri ldaps://dhcp1a.winlab.rutgers.edu ldap_version 3 port 636 bind_policy soft ssl on tls_checkpeer no -- /etc/nsswitch.conf passwd: files ldap compat group: files ldap compat shadow: files ldap compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis automount: ldap -- /etc/pam.d/common-auth auth sufficient pam_ldap.so auth required pam_nologin.so auth required pam_env.so auth required pam_unix.so use_first_pass -- /etc/pam.d/common-account account sufficient pam_ldap.so account required pam_unix.so account required pam_nologin.so -- /etc/pam.d/common-password password sufficient pam_ldap.so use_authok password sufficient pam_unix.so use_authtok nullok md5 -- /etc/pam.d/ssh auth required pam_nologin.so auth required pam_env.so auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam_ldap.so account required pam_unix.so account required pam_nologin.so session required pam_unix.so session required pam_limits.so -- /etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no PasswordAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd yes PrintLastLog yes KeepAlive yes Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes -- /etc/default/slapd SLAPD_CONF= SLAPD_USER= SLAPD_GROUP= SLAPD_PIDFILE= TRY_BDB_RECOVERY=yes SLURPD_START=auto SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///" SLAPD_OPTIONS="" SLURPD_OPTIONS="" -- Backported LaMont Jones' patch for initgroups to Dapper: diff -ur t/libnss-ldap-251/debian/changelog libnss-ldap-251/debian/changelog --- t/libnss-ldap-251/debian/changelog 2006-11-21 07:47:11.000000000 -0700 +++ libnss-ldap-251/debian/changelog 2006-11-21 08:00:46.000000000 -0700 @@ -1,3 +1,9 @@ +libnss-ldap (251-5.2ubuntu1~proposed) edgy-updates; urgency=low + + * Backport 253 fix for initgroups. Closes: ubuntu#70146 + + -- LaMont Jones <[EMAIL PROTECTED]> Tue, 21 Nov 2006 07:50:16 -0700 + libnss-ldap (251-5.2) unstable; urgency=high * Non-maintainer upload. diff -ur t/libnss-ldap-251/ldap-grp.c libnss-ldap-251/ldap-grp.c --- t/libnss-ldap-251/ldap-grp.c 2006-06-21 20:39:26.000000000 -0600 +++ libnss-ldap-251/ldap-grp.c 2006-11-21 07:48:26.000000000 -0700 @@ -19,7 +19,7 @@ */ static char rcsId[] = - "$Id: ldap-grp.c,v 2.105 2006/03/22 13:18:56 lukeh Exp $"; + "$Id: ldap-grp.c,v 2.106 2006/09/13 06:33:09 lukeh Exp $"; #include "config.h" @@ -33,6 +33,7 @@ #include <pthread.h> #endif +#include <assert.h> #include <stdlib.h> #include <string.h> #include <stdio.h> @@ -719,7 +720,18 @@ return NSS_TRYAGAIN; } } - if (*(lia->start) == *(lia->size)) + + if (*(lia->size) == 0) + { + *(lia->groups) = (gid_t *) realloc(*(lia->groups), + LDAP_NSS_NGROUPS * sizeof (gid_t)); + if (*(lia->groups) == NULL) + { + return NSS_TRYAGAIN; + } + *(lia->size) = LDAP_NSS_NGROUPS; + } + else if (*(lia->start) == *(lia->size)) { /* Need a bigger buffer */ *(lia->groups) = (gid_t *) realloc (*(lia->groups), @@ -730,6 +742,10 @@ } *(lia->size) *= 2; } + else + { + assert(*(lia->start) < *(lia->size)); + } /* weed out duplicates; is this really our responsibility? */ for (i = 0; i < *(lia->start); i++) diff -ur t/libnss-ldap-251/ldap-netgrp.c libnss-ldap-251/ldap-netgrp.c --- t/libnss-ldap-251/ldap-netgrp.c 2006-06-21 20:39:26.000000000 -0600 +++ libnss-ldap-251/ldap-netgrp.c 2006-11-21 07:48:26.000000000 -0700 @@ -18,11 +18,11 @@ write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - $Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $ + $Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $ */ static char rcsId[] = - "$Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $"; + "$Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $"; #include "config.h" @@ -791,7 +791,6 @@ static NSS_STATUS _nss_ldap_innetgr (nss_backend_t * be, void *_args) { - NSS_STATUS stat = NSS_NOTFOUND; struct nss_innetgr_args *args = (struct nss_innetgr_args *) _args; int i; @@ -806,28 +805,27 @@ args->arg[NSS_NETGR_MACHINE].argc, args->arg[NSS_NETGR_USER].argc, args->arg[NSS_NETGR_DOMAIN].argc, args->groups.argc); - /* Presume these are harmonized -- this is a strange interface */ - assert (args->arg[NSS_NETGR_MACHINE].argc == 0 || - args->arg[NSS_NETGR_MACHINE].argc == args->groups.argc); - assert (args->arg[NSS_NETGR_USER].argc == 0 || - args->arg[NSS_NETGR_USER].argc == args->groups.argc); - assert (args->arg[NSS_NETGR_DOMAIN].argc == 0 || - args->arg[NSS_NETGR_DOMAIN].argc == args->groups.argc); + /* note: mountd on Solaris does set multiple 'groups' with one 'arg' for + * efficiency reasons */ + + assert (args->arg[NSS_NETGR_MACHINE].argc <= 1); + assert (args->arg[NSS_NETGR_USER].argc <= 1); + assert (args->arg[NSS_NETGR_DOMAIN].argc <= 1); _nss_ldap_enter (); + const char *machine = (args->arg[NSS_NETGR_MACHINE].argc != 0) ? + args->arg[NSS_NETGR_MACHINE].argv[0] : NULL; + const char *user = (args->arg[NSS_NETGR_USER].argc != 0) ? + args->arg[NSS_NETGR_USER].argv[0] : NULL; + const char *domain = (args->arg[NSS_NETGR_DOMAIN].argc != 0) ? + args->arg[NSS_NETGR_DOMAIN].argv[0] : NULL; + for (i = 0; i < args->groups.argc; i++) { NSS_STATUS parseStat; ldap_innetgr_args_t li_args; - const char *machine = (args->arg[NSS_NETGR_MACHINE].argc != 0) ? - args->arg[NSS_NETGR_MACHINE].argv[i] : NULL; - const char *user = (args->arg[NSS_NETGR_USER].argc != 0) ? - args->arg[NSS_NETGR_USER].argv[i] : NULL; - const char *domain = (args->arg[NSS_NETGR_DOMAIN].argc != 0) ? - args->arg[NSS_NETGR_DOMAIN].argv[i] : NULL; - li_args.lia_netgroup = args->groups.argv[i]; li_args.lia_netgr_status = NSS_NETGR_NO; li_args.lia_depth = 0; @@ -846,15 +844,15 @@ if (args->status == NSS_NETGR_FOUND) { - stat = NSS_SUCCESS; + _nss_ldap_leave (); + debug ("<== _nss_ldap_innetgr (FOUND)"); + return NSS_SUCCESS; } } _nss_ldap_leave (); - - debug ("<== _nss_ldap_innetgr"); - - return stat; + debug ("<== _nss_ldap_innetgr (not found)"); + return NSS_NOTFOUND; } /* diff -ur t/libnss-ldap-251/ldap-nss.h libnss-ldap-251/ldap-nss.h --- t/libnss-ldap-251/ldap-nss.h 2006-11-21 07:47:11.000000000 -0700 +++ libnss-ldap-251/ldap-nss.h 2006-11-21 07:48:26.000000000 -0700 @@ -96,9 +96,9 @@ * unacceptable, in which case you may wish to adjust * the constants below. */ -#define LDAP_NSS_TRIES 5 /* number of sleeping reconnect attempts */ -#define LDAP_NSS_SLEEPTIME 4 /* seconds to sleep; doubled until max */ -#define LDAP_NSS_MAXSLEEPTIME 64 /* maximum seconds to sleep */ +#define LDAP_NSS_TRIES 1 /* number of sleeping reconnect attempts */ +#define LDAP_NSS_SLEEPTIME 1 /* seconds to sleep; doubled until max */ +#define LDAP_NSS_MAXSLEEPTIME 8 /* maximum seconds to sleep */ #define LDAP_NSS_MAXCONNTRIES 2 /* reconnect attempts before sleeping */ #if defined(HAVE_NSSWITCH_H) || defined(HAVE_IRS_H) @@ -691,6 +691,9 @@ void _nss_ldap_block_sigpipe (void); void _nss_ldap_unblock_sigpipe (void); +void _nss_ldap_block_sigpipe (void); +void _nss_ldap_unblock_sigpipe (void); + /* * Acquire global nss_ldap lock and blocks SIGPIPE. * Generally this should only be done within ldap-nss.c. ** Affects: libnss-ldap (Ubuntu) Importance: Undecided Status: Unconfirmed -- cannot connect to ldap https://launchpad.net/bugs/75535 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs