Date: Mon, 16 Mar 2009 10:13:56 -0400 (EDT) From: tmclaugh@sdf.lonestar.org To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: Kostik Belousov <kostikbel@gmail.com>, Tom McLaughlin <tmclaugh@sdf.lonestar.org>, Hartmut Brandt <hartmut.brandt@dlr.de>, kazakov@gmail.com, current@freebsd.org Subject: Re: problem with nss_ldap Message-ID: <3c4353769adb319a256012e3a5d55931.squirrel@webmail.freeshell.org> In-Reply-To: <49BE338F.1070301@zedat.fu-berlin.de> References: <E2F5A6372272F744859F67CB11ABC1110507D4@exbe05.intra.dlr.de> <alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de> <49A69B74.1080201@sdf.lonestar.org> <49A97F2E.3030005@sdf.lonestar.org> <20090306213531.G60465@beagle.kn.op.dlr.de> <20090306211650.GD41617@deviant.kiev.zoral.com.ua> <ea4fb05da7fa78720849158fe0fcb840.squirrel@webmail.freeshell.org> <20090306222433.GF41617@deviant.kiev.zoral.com.ua> <FE4696E5-35E2-45BC-893E-F74CCB5A7F05@rabson.org> <20090310114131.GD41617@deviant.kiev.zoral.com.ua> <70D16F57-F7E3-4CDA-BCD5-5D79B566510B@rabson.org> <49B69C36.3010307@sdf.lonestar.org> <20090312092235.F78834@beagle.kn.op.dlr.de> <49BD8A23.4090909@sdf.lonestar.org> <20090316093602.O92264@beagle.kn.op.dlr.de> <49BE338F.1070301@zedat.fu-berlin.de>
index | next in thread | previous in thread | raw e-mail
> Hartmut Brandt wrote: >> On Sun, 15 Mar 2009, Tom McLaughlin wrote: >> >> TM>Hartmut Brandt wrote: >> TM>> On Tue, 10 Mar 2009, Tom McLaughlin wrote: >> TM>> >> TM>> TM>Doug Rabson wrote: <snip> > > Today I found this posting here having much trouble with authetication > on some clients. > > After an update of the LDAP server from OpenLDAP 2.4.14 to 2.4.15 and > updating db-4.6 to db-4.7 (all on the server, server runs FreeBSD > 7.1-STABLE/i386), I have no luck log in via ssh on any client (client > runs FreeBSD 8.0-CURRENT/amd64). Client has also db-4.7 and OpenLDAP > 2.4.15 and I recompiled pam_ldap and nss_ldap when updated OpenLDAP > 2.4.14 to OpenLDAP 2.4.15. > > Checking console log gives me this: > > Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot > find account for uid 1000 > Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout() > returned an error > > > Checking sshd.log gives this:Mar 16 11:04:19 thusnelda sshd[1560]: > Accepted keyboard-interactive/pam for user from XXX.XXX.XXX.XXX port > 61861 ssh2 > Mar 16 11:04:19 thusnelda sshd[1563]: nss_ldap: could not get LDAP > result - Can't contact LDAP server > Mar 16 11:04:34 thusnelda sshd[1563]: nss_ldap: could not get LDAP > result - Timed out > Mar 16 11:04:34 thusnelda sshd[1560]: nss_ldap: could not search LDAP > server - Server is unavailable > Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot > find account for uid 1000 > Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout() > returned an error > > This happens now on all boxes running the most recent OpenLDAP 2.4.15. > > is there a serious issue we should PR? > > Thanks in advance, > Oliver > Need a lot more info here. The issue in this thread has been related to GSSAPI and nss_ldap and manifests itself when you use krb5_ccname in the nss_ldap.conf. Is the problem only related to authentication? Only sshd? If you're on the box does nss_ldap work fine and enumerate all users and groups just fine? Are only -CURRENT boxes showing problems? What about -STABLE? When did everything break? What do the ldap server logs say if you have access to them? (Might want to bump up the loglevel on openldap too.) tomhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c4353769adb319a256012e3a5d55931.squirrel>