From owner-freebsd-current@FreeBSD.ORG  Mon Mar 16 14:14:04 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A6EF6106566C
	for <current@freebsd.org>; Mon, 16 Mar 2009 14:14:04 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from sdf.lonestar.org (mx.freeshell.org [192.94.73.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 391A68FC19
	for <current@freebsd.org>; Mon, 16 Mar 2009 14:14:03 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from webmail.freeshell.org (IDENT:nobody@mx.freeshell.org
	[192.94.73.19])
	by sdf.lonestar.org (8.14.3/8.13.8) with ESMTP id n2GEDuAq022725;
	Mon, 16 Mar 2009 14:13:56 GMT
Received: from w.meditech.com ([208.206.3.254])
	(SquirrelMail authenticated user tmclaugh)
	by webmail.freeshell.org with HTTP;
	Mon, 16 Mar 2009 10:13:56 -0400 (EDT)
Message-ID: <3c4353769adb319a256012e3a5d55931.squirrel@webmail.freeshell.org>
In-Reply-To: <49BE338F.1070301@zedat.fu-berlin.de>
References: <E2F5A6372272F744859F67CB11ABC1110507D4@exbe05.intra.dlr.de>
	<alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de>
	<49A69B74.1080201@sdf.lonestar.org> <49A97F2E.3030005@sdf.lonestar.org>
	<20090306213531.G60465@beagle.kn.op.dlr.de>
	<20090306211650.GD41617@deviant.kiev.zoral.com.ua>
	<ea4fb05da7fa78720849158fe0fcb840.squirrel@webmail.freeshell.org>
	<20090306222433.GF41617@deviant.kiev.zoral.com.ua>
	<FE4696E5-35E2-45BC-893E-F74CCB5A7F05@rabson.org>
	<20090310114131.GD41617@deviant.kiev.zoral.com.ua>
	<70D16F57-F7E3-4CDA-BCD5-5D79B566510B@rabson.org>
	<49B69C36.3010307@sdf.lonestar.org>
	<20090312092235.F78834@beagle.kn.op.dlr.de>
	<49BD8A23.4090909@sdf.lonestar.org>
	<20090316093602.O92264@beagle.kn.op.dlr.de>
	<49BE338F.1070301@zedat.fu-berlin.de>
Date: Mon, 16 Mar 2009 10:13:56 -0400 (EDT)
From: tmclaugh@sdf.lonestar.org
To: "O. Hartmann" <ohartman@zedat.fu-berlin.de>
User-Agent: SquirrelMail/1.4.17
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Kostik Belousov <kostikbel@gmail.com>,
	Tom McLaughlin <tmclaugh@sdf.lonestar.org>,
	Hartmut Brandt <hartmut.brandt@dlr.de>, kazakov@gmail.com,
	current@freebsd.org
Subject: Re: problem with nss_ldap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2009 14:14:05 -0000

> Hartmut Brandt wrote:
>> On Sun, 15 Mar 2009, Tom McLaughlin wrote:
>>
>> TM>Hartmut Brandt wrote:
>> TM>> On Tue, 10 Mar 2009, Tom McLaughlin wrote:
>> TM>>
>> TM>> TM>Doug Rabson wrote:
<snip>
>
> Today I found this posting here having much trouble with authetication
> on some clients.
>
> After an update of the LDAP server from OpenLDAP 2.4.14 to 2.4.15 and
> updating db-4.6 to db-4.7 (all on the server, server runs FreeBSD
> 7.1-STABLE/i386), I have no luck log in via ssh on any client (client
> runs FreeBSD 8.0-CURRENT/amd64). Client has also db-4.7 and OpenLDAP
> 2.4.15 and I recompiled pam_ldap and nss_ldap when updated OpenLDAP
> 2.4.14 to OpenLDAP 2.4.15.
>
> Checking console log gives me this:
>
> Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot
> find account for uid 1000
> Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout()
> returned an error
>
>
> Checking sshd.log gives this:Mar 16 11:04:19 thusnelda sshd[1560]:
> Accepted keyboard-interactive/pam for user from XXX.XXX.XXX.XXX port
> 61861 ssh2
> Mar 16 11:04:19 thusnelda sshd[1563]: nss_ldap: could not get LDAP
> result - Can't contact LDAP server
> Mar 16 11:04:34 thusnelda sshd[1563]: nss_ldap: could not get LDAP
> result - Timed out
> Mar 16 11:04:34 thusnelda sshd[1560]: nss_ldap: could not search LDAP
> server - Server is unavailable
> Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot
> find account for uid 1000
> Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout()
> returned an error
>
> This happens now on all boxes running the most recent OpenLDAP 2.4.15.
>
> is there a serious issue we should PR?
>
> Thanks in advance,
> Oliver
>

Need a lot more info here.  The issue in this thread has been related to
GSSAPI and nss_ldap and manifests itself when you use krb5_ccname in the
nss_ldap.conf.  Is the problem only related to authentication?  Only sshd?
 If you're on the box does nss_ldap work fine and enumerate all users and
groups just fine?  Are only -CURRENT boxes showing problems?  What about
-STABLE?  When did everything break?  What do the ldap server logs say if
you have access to them?  (Might want to bump up the loglevel on openldap
too.)

tom