From owner-freebsd-questions@FreeBSD.ORG Mon Jan 24 18:04:21 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DB8F16A4CE; Mon, 24 Jan 2005 18:04:21 +0000 (GMT) Received: from wmptl.net (mail.wmptl.com [216.8.159.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80AE043D1D; Mon, 24 Jan 2005 18:04:20 +0000 (GMT) (envelope-from nvidican@wmptl.com) Received: from r3140ca ([10.0.0.104]) by wmptl.net (8.13.1/8.12.9) with ESMTP id j0OI4ITV040512; Mon, 24 Jan 2005 13:04:19 -0500 (EST) From: "Nathan Vidican" To: Date: Mon, 24 Jan 2005 13:04:18 -0500 Message-ID: <000e01c5023f$1fd25380$6800000a@r3140ca> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam-Score: 4.6 (****) MANGLED_LIPS,MANGLED_OFF X-Scanned-By: MIMEDefang 2.44 cc: amd64@freebsd.org Subject: Problem with nss_ldap in FreeBSD 5.3-RELEASE/AMD64 (2nd edition) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 18:04:21 -0000 Hey All, - Sorry, forgot the attachement, same msg as earlier follows: Not entirely sure which list this should be sent to, so I figured sending to the general list would be a good start. If there's a more appropriate list, could someone kindly reply and direct me as to who else may be better able to help solve or at least point me in the right direction to solve this problem myself. - Thanks. That said, here goes; I am apparently encountering an overflow of sorts with nss_ldap on FreeBSD: ---------------------------------------------------------------------------- --------------------- Currently running OpenLDAP server, to store all local usernames/passwords/groups/shells/homedirs info. The accounts are shared between the system on the FreeBSD side using posixAccount attributes, and on the Windows side using sambaSamAccount attributes. We are using the FreeBSD port of LAM to create/modify/manage users and groups internally through a web-based interface running on Apache/php. Further details, including version specifics, etc will follow, just prefer to give you an idea of the problem we're having before wasting your time reading all the really specific stuff. Here's the problem, only a few selected usernames (4 out of about 190 or so), root cannot do a 'cd ~username'. This seems to cause issues with samba, and the list just goes on from there. What happens when one logged in as root types in the command 'cd ~username', is apparently an overflow of some sort which leaves one connected to the LDAP session, a simple [CRTL]+D releases one back to console. This same condition occurs when ANY user (not just root) attempts to cd to one of these 4 user directories; what troubles me most, is this happens regardless of permission issues to the filesystem, as it is apparently during the username lookup that it happens, to what extent the open session can allow someone access as an intruder of sorts I do not know - but nonetheless fear as an administrator, that this could be a security risk as well. I have attached a UNICODE txt file of a session which shows what one gets on the console when one attempts to 'cd ~USERNAME', where 'USERNAME' was edited removing the original username. Here's what I've tried to resolve the issue: -------------------------------------------- First tried re-creating the user objects in the LDAP tree, failing that, I removed them, and re-created them with different UID numbers; essentially making them different objects with different distinctive names (DN's) in the database - nothing, same problem. Removed and re-created the physical directory entries on the disk as well, including proper ownership and permissions each time I changed the associated entry in the LDAP tree as well - even tried changing where/which disk the homedir was physically stored on. Lastly, I tried removing the entire LDAP database, and restoring FIRST the troublesome users only - same problem still. Added in the rest of the users via an LDIF export (backup of db before I toasted it) - still same problem. I figure spelling can't really be an issue; all usernames here follow the same convention (first letter of first name, followed by first 7 characters of last name, no numeric nor punctual characters of any sort). All four usernames are phonetically distinct and do not share any alphabetic pattern whatsoever either (I'd prefer not to send them out to the general list, as this machine is currently in production, and given the nature of what these accounts are causing I'd prefer not opening up a whole new security risk here). More Detailed Information Follows: ---------------------------------- FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 03:50:01 UTC 2004 amd64 OpenLDAP nss_ldap & pam_ldap installed from ports-tree, using versions as follows (pkg_info -a reports: openldap-client-2.2.15, openldap-server-2.2.15, pam_ldap-1.7.1_1, nss_ldap-1.204_5) Samba Version Samba-3.0.8, compiled with LDAP SAM support, acting as PDC for Win2K/WinXP Clients Still running GENERIC kernel (intent upon eventually getting around to making a new one, removing a lot of debugging and what-not once all is up and running well for a boost in performance). The machine is an AMD Opteron 146-based system, with 2GB ECC registered memory, (dual capable board, eventually going to go with dual 246 Opterons when we can take them from a workstation and upgrade the workstation to faster cpus). Using WDC RAID Edition S-ATA 250GB Drives, the on-board Broadcom GigE controllers (2), and on-board ATI video controller. The drives are configured in a RAID 5 array, attached each to an independent channel on a 3Ware Escalade 9500 series S-ATA controller, for a total of 705GB and change storage across 4 partitions (2GB /, 10GB /usr, 40GB /var, rest as /server). Attached is a copy of an (edited for username) session which details what happens when this error occurs. There are no errors reported in the OpenLDAP nor the system/auth logs to give you, but if anything else is needed please don't hesitate to ask. Any ideas as to where to go on this would be greatly appreciated, but I genuinely think there may be something actually wrong in the code somewhere, I don't believe this to be a simple matter of a configuration problem. -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/ begin 666 ldap-err.txt M__XE`&,`9 `@`'X`50!3`$4`4@!.`$$`30!%`"\`#0`*`# `_ `4)3LF.B9E M)F,`_ !1)68F9 !C`#T`=P!M`' `= !L`"P`9 !C`#T`;@!E`'0`#0`*`#HF M.R8-``H`.B8[)CHF.B8[)CHF.B8Z)N$`+0#Z``T`"@`@`" `( `@`" `( `@ M`" `( `@`" `;P!B`&H`90!C`'0`8P!L`&$`0!F)F(`90!R`&8F.R9C M`&X`9B8-``H`; !O`&<`:0!N`%,`: !E`&P`; !F)F<`90!C`&\`