From owner-freebsd-questions@FreeBSD.ORG Fri Apr 24 11:56:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF6CA1065670 for ; Fri, 24 Apr 2009 11:56:03 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 7F48A8FC1A for ; Fri, 24 Apr 2009 11:56:03 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1LxK0f-00069j-Ox>; Fri, 24 Apr 2009 13:56:01 +0200 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1LxK0f-0000ej-Nf>; Fri, 24 Apr 2009 13:56:01 +0200 Message-ID: <49F1A87E.3060208@zedat.fu-berlin.de> Date: Fri, 24 Apr 2009 11:54:38 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.21 (X11/20090417) MIME-Version: 1.0 To: openldap-software@openldap.org, freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Cc: Subject: OpenLDAP > 2.4.11 sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 11:56:04 -0000 We run a bunch of FreeBSD boxes, some FreeBSD 7.2, others (most) FreeBSD 8.0-CURRENT (most amd64). These boxes manage their users via OpenLDAP 2.4.XX. Before we did an upgrade to OpenLDAP 2.4.15/16, everything was all right. Now, after nearly all of our OpenLDAP servers has been upgraded to 2.4.16, users can not log in via ssh onto their hosts for work. Because this is at this very moment a very small scientific test facility I circumvent problems by having local accounts the traditional way. When users try to login on a workstation via ssh the connection gets closed after they provided their password, sending this error: sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000 (or whatever UID is provided) Sshd on server side is configured to use PAM and both pam_ldap and nss_ldap are installed, up to date, recompiled to match OpenLDAP 2.4.16. Besides, OpenLDAP 2.4.11/13/14/15.16 uses DB4.7 on our installation. The funny thing is that this problem occured immediately and synchronously on all clients and OpenLDAP servers when moved from 2.4.11 to 2.4.16/db47. On the other hand, and also very funny and confusing, I can enumerate very UID in the home directory, I can su to every user managed by LDAP, I can 'su' to users, users are able to authenticate themselves when using SAMBA (also OpenLDAP backed) and autheticate web-users when accessing restricted pages on our site secured by OpenLDAP backed authetication (lighttpd). But no one is capable of log in via ssh! The situation is very frustrating. I do not see anything suspicious when tracking OpenLDAP's logs (ACL/stats), nor do I see anythng weird when looking at sshd's logs. I need help to track down this problem. When I search the net for the above mentioned specific error message I got a lot of trouble-reports concerning nss_ldap and sshd, but those were related to 2003/2005. Any suggestions? Thanks in advance, Oliver