From owner-freebsd-hackers@FreeBSD.ORG Thu Apr 16 15:23:09 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1A641065911; Thu, 16 Apr 2009 15:23:09 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from acme.spoerlein.net (cl-43.dus-01.de.sixxs.net [IPv6:2a01:198:200:2a::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4EF308FC17; Thu, 16 Apr 2009 15:23:09 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from roadrunner.spoerlein.net (e180152215.adsl.alicedsl.de [85.180.152.215]) by acme.spoerlein.net (8.14.3/8.14.3) with ESMTP id n3GFMkXa095983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 16 Apr 2009 17:22:50 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Received: from roadrunner.spoerlein.net (localhost [127.0.0.1]) by roadrunner.spoerlein.net (8.14.3/8.14.3) with ESMTP id n3GFHfek045643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Apr 2009 17:17:41 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Received: (from uqs@localhost) by roadrunner.spoerlein.net (8.14.3/8.14.3/Submit) id n3GFHeEP045642; Thu, 16 Apr 2009 17:17:40 +0200 (CEST) (envelope-from uspoerlein@gmail.com) Date: Thu, 16 Apr 2009 17:17:40 +0200 From: Ulrich =?utf-8?B?U3DDtnJsZWlu?= To: Benjamin Lee Message-ID: <20090416151740.GB5002@roadrunner.spoerlein.net> Mail-Followup-To: Benjamin Lee , Konrad Heuer , freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org References: <20090415102209.T34961@gwdu60.gwdg.de> <49E63228.3090409@b1c1l1.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <49E63228.3090409@b1c1l1.com> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org, Konrad Heuer Subject: Re: Problem: FreeBSD 7.x && ssh v2 && nss_ldap X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Apr 2009 15:23:11 -0000 On Wed, 15.04.2009 at 12:14:48 -0700, Benjamin Lee wrote: > On 04/15/2009 01:33 AM, Konrad Heuer wrote: > > > > I see a problem on two systems running FreeBSD 7.0 or 7.1 which are > > configured as OpenLDAP clients using the nss_ldap module. > > > > When someone logs on using ssh protocol version 2 the session will not > > be initialized correctly. The user will only get his primary group > > affiliation but no affiliation to other groups (memberUid attribute in > > LDAP group entries). > > > > On 7.1 the ssh login process hangs forever with open ldap queries, on > > 7.0 the group list is incomplete. On several 6.x systems, all works > > correctly. > > I have used the configuration for years now. > > > > There are some workarounds I found: > > > > a) use ssh protocol version 1 > > b) set UseLogin to yes in sshd_config > > c) avoid ssl encryption in communication to ldap server > > (ldap://... uri instead of ldaps://... in ldap.conf) > > > > Does anybody see similar problems? Does anybody have an idea what may > > couse the problem? > > I recently submitted ports/133501 regarding this issue, but I have not > yet received a response. > > My workaround was to disable pthread_atfork support, so the problem > might be related to the change from libkse to libthr in RELENG_7. I tried your patch to see if it made any change for the nss_ldap UNIX socket leak, but sadly no change. I never observed the SSH2 problems you guys mention, but then again I'm usually using key authentication. I'll run with the patch anyway and see if it makes any change to the problem where login(1) is only able to authenticate me after 30s of idling. Cheers, Ulrich Spörlein -- None are more hopelessly enslaved than those who falsely believe they are free -- Johann Wolfgang von Goethe