From owner-freebsd-current@FreeBSD.ORG Sat Apr 25 16:32:19 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02815106566C for ; Sat, 25 Apr 2009 16:32:19 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 7FEFD8FC0A for ; Sat, 25 Apr 2009 16:32:18 +0000 (UTC) (envelope-from ohartman@mail.zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1LxknZ-0007aj-0S>; Sat, 25 Apr 2009 18:32:17 +0200 Received: from e178026184.adsl.alicedsl.de ([85.178.26.184] helo=thor.walstatt.dyndns.org) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1LxknY-00034i-TE>; Sat, 25 Apr 2009 18:32:17 +0200 Message-ID: <49F33B2E.9050803@mail.zedat.fu-berlin.de> Date: Sat, 25 Apr 2009 18:32:46 +0200 From: "O. Hartmann" User-Agent: Thunderbird 2.0.0.21 (X11/20090410) MIME-Version: 1.0 To: Kostik Belousov References: <49F192AA.1010605@zedat.fu-berlin.de> <20090424141651.GA62236@ei.bzerk.org> <20090424171254.GD40751@deviant.kiev.zoral.com.ua> In-Reply-To: <20090424171254.GD40751@deviant.kiev.zoral.com.ua> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 85.178.26.184 X-Mailman-Approved-At: Sat, 25 Apr 2009 17:16:36 +0000 Cc: Ruben de Groot , freebsd-current@freebsd.org, Ivan Voras Subject: Re: OpenLDAP/SSH : sshd[1414]: fatal: login_get_lastlog: Cannot find account for uid 1000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Apr 2009 16:32:19 -0000 Kostik Belousov wrote: > [Removed questions] > > On Fri, Apr 24, 2009 at 04:16:51PM +0200, Ruben de Groot wrote: > >> On Fri, Apr 24, 2009 at 12:34:01PM +0200, Ivan Voras typed: >> >>> O. Hartmann wrote: >>> >>>> Since several months after a upgrade from OpenLDAP 2.4.11 to the most >>>> recent one I have trouble login in on machines which authenticate users >>>> via OpenLDAP. >>>> >>>> >>> I've just installed a fresh machine with FreeBSD 7.2 amd64 and OpenLDAP >>> 2.4.latest and it works. The only difference might be that I'm using nscd. >>> >>> Have you modified /etc/pam.d files? >>> >> I had a problem with nss_ldap and openldap over ssl. This patch fixed it: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=133501&cat=ports >> > > Actually, bug reports against threading library in 7.0/7.1 should > be rechecked against upcoming 7.2, since libthr got a complete sync > with HEAD. In particular, several issues were fixed that are related > to fork and threads interaction. > > If the issue is still present in 7.2, then the best way to start some > progress is to get isolated failing test case for libthr. > The problem I specifically mentioned affects the same way a pure FreeBSD 8.0-CURRENT/amd64 installation and is identical to that what I see with FreeBSD 7.2-STABLE. I change the order of look-for-targets in /etc/nsswitch.conf: previously not working and triggering issues I reported: group: files ldap passwd: files ldap working after exchanging order: group: ldap files passwd: ldap files This is weird! After I changed that, the first attempt issuing the passowrd now takes 20 seconds to respond even for local users, if I hit return for the first passwd-attempt and issuing the passd on second attempt runs immediately towards expected login. Intention of having first files looked up was: sometimes LDAP is dead or we make tests and can not reach LDAP, so we need to login via local stored users. Having first LDAP consulted makes a login a desaster: after a minute some boxes cancel login attempt caused by timeout. That's fun. Even with passwd: ldap [unavail=continue notfound=continue] files [success=return notfound=return] group: ldap [unavail=continue notfound=continue] files [success=return notfound=return] it fails. There is something wrong, not specifically with 7.2. Oliver