166519 2007-02-12 16:21 0000 sys-auth/nss_ldap-253 - emerge and su fail when using ldap files or files ldap in nsswitch.conf 2007-09-18 23:19:54 0000 1 1 1 Unclassified Gentoo Linux Library unspecified x86 Linux RESOLVED FIXED P2 major --- 1 gentoobugs@hayward.uk.com ldap-bugs@gentoo.org alex@ghisoli.ch gentoobugs@hayward.uk.com 2007-02-12 16:21:53 0000 After performing a recent update (emerge -uDN world), which had not been done for a couple of months, I tried to emerge a new package and the emerge fails to even start properly, I tried emerging different packages and all do the same for example: emerge gaim Calculating dependencies ... done! >>> Emerging (1 of 1) net-im/gaim-1.5.0 to / And thats all I get, I tried emerge-webrsync and that didn't help either. Eventually I discovered that if I swap the order in my nsswitch.conf from ldap files to files ldap emerge worked. Now I have a new problem that su no longer works it always says su - Password: su: Permission denied Sorry. There is one way round this and that is to add the user to /etc/group and /etc/password, but that defeats the object of LDAP! Reproducible: Always Steps to Reproduce: 1.using a working system implement ldap (LDAP server has account details of all local system accounts) 2.modify the lines in /etc/nsswitch.conf to change the following lines to read passwd: ldap files group: ldap files this causes portage to fail the emerge. 3.try to emerge something and watch it fail 4. Modify nsswitch.conf to read passwd: files ldap group: files ldap 5. Now try and su to root Actual Results: Step 3. emerge gaim Calculating dependencies ... done! >>> Emerging (1 of 1) net-im/gaim-1.5.0 to / can su to root successfully Step 5. su - Password: su: Permission denied Sorry. other apps also fail such as cxoffice emerge now works successfully Expected Results: expect both emerge, and su and cxoffice to work regardless of the order in nsswitch.conf adding the user to /etc/group and /etc/passwd is a short term workaround to allow su and cxoffice apps to work but implementing the changes on every machine makes a mockery of the ldap implementation. jakub@gentoo.org 2007-02-12 16:26:18 0000 emerge --info? sys-auth/nss_ldap version? gentoobugs@hayward.uk.com 2007-02-12 23:20:12 0000 emerge --info as requested Portage 2.1.1-r2 (default-linux/x86/2006.0, [unavailable], glibc-2.5-r0, 2.6.19-gentoo-r5 i686) ================================================================= System uname: Gentoo Base System version 1.12.6 Last Sync: Thu, 08 Feb 2007 04:00:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer -mmmx -msse -msse2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=pentium4 -O3 -pipe -fomit-frame-pointer -mmmx -msse -msse2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig candy ccache distcc distlocks metadata-transfer moo sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo" LINGUAS="en_GB" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://nx01/gentoo-portage" USE="X acl acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1 alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 apm arts bash-completion berkdb bitmap-fonts bluetooth browserplugin bzip2 cgi cli cracklib crypt cups curl directfb dlloader dri eds elibc_glibc emboss encode esd ethereal expat fbcon firefox foomaticdb fortran gdbm gif gnome gnutls gpm gstreamer gtk gtk2 iconv icq imap imlib input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kerberos kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text ldap libg++ libwww linguas_en_GB mad midi mikmod mmx motif mp3 mpeg msn mysql ncurses nls nptl nptlonly nsplugin ogg opengl oscar oss pam pcre perl png pppd pthreads python qt3 qt4 quicktime readline reflection ruby samba scanner sdl session slang slp snmp spell spl ssl svga symlink tcltk tcpd tiff truetype truetype-fonts type1-fonts udev usb userland_GNU utempter video_cards_mach64 video_cards_nv vorbis x86 xinerama xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS gentoobugs@hayward.uk.com 2007-02-12 23:20:55 0000 sys-auth/nss_ldap-253 gentoobugs@hayward.uk.com 2007-02-12 23:28:44 0000 I'm not sure this is an ldap bug, what I think is happening is that some applications are only looking in one of the options in /etc/nsswitch.conf and then ignoring the second option. I think this because switching files and ldaps order in the nsswitch.conf fixes the issue for one application, however it breaks it for another. gentoobugs@hayward.uk.com 2007-02-13 08:59:10 0000 I can't restart services (apache etc) when the nsswitch.conf is in the order ldap files robbat2@gentoo.org 2007-02-13 09:26:20 0000 files must ALWAYS come before ldap in any nsswitch.conf line, otherwise there is a lot more nasty stuff that will happen when you boot your machine. As for su being broken, what authentication is su using? It should using pam_ldap, so please validate that. gentoobugs@hayward.uk.com 2007-02-13 12:13:15 0000 portage.doebuild returns 3328 in the emerge script line 2030, when /etc/nsswitch.conf's order is ldap files. gentoobugs@hayward.uk.com 2007-02-13 12:17:21 0000 (In reply to comment #6) > files must ALWAYS come before ldap in any nsswitch.conf line, otherwise there > is a lot more nasty stuff that will happen when you boot your machine. > As for su being broken, what authentication is su using? It should using > pam_ldap, so please validate that. > I actually have them in that order for boot however as mentioned not everything works, during boot I have a script which changes over to ldap first to get other things working. This has been working fine until I updated my machine so I don't think I have any issues there. pam_ldap su uses #%PAM-1.0 auth sufficient pam_rootok.so # If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. #auth required pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.allow # Uncomment this to allow users in the wheel group to su without # entering a passwd. #auth sufficient pam_wheel.so use_uid trust # Alternatively to above, you can implement a list of users that do # not need to supply a passwd with a list. #auth sufficient pam_listfile.so item=ruser sense=allow onerr=fail file=/etc/security/suauth.nopass # Comment this to allow any user, even those not in the 'wheel' # group to su auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so system-auth contains: auth required pam_env.so auth sufficient pam_unix.so likeauth nullok shadow auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account requisite pam_unix.so account sufficient pam_localuser.so account sufficient pam_ldap.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password sufficient pam_ldap.so use_authtok use_first_pass password required pam_deny.so session required pam_limits.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0066 session optional pam_ldap.so As said in my first post this all works fine if the order is ldap files, however other things are now broken that were previously working fine. alex@ghisoli.ch 2007-04-02 14:59:09 0000 Could this issue related to bug 147625 ? The issue is that portage always return error 3328 when using ldap storage based accounts. So, the real bug is in glibc and the way it handle maps and usernames, see bug 156511. From my personal experience, if you have TLS or SSL enabled in /etc/ldap.conf, tunring it off makes things working. Martin.vGagern@gmx.net 2007-07-05 12:35:28 0000 This looks like bug 162355, which corresponds to the upstream bug http://bugzilla.padl.com/show_bug.cgi?id=273 (nice description there). Using nscd should probably solve the issue. robbat2@gentoo.org 2007-09-18 23:19:54 0000 257 in CVS now with the SIGPIPE fix, closing.