# cat /etc/nsswitch.conf ... passwd: files nis ldap ... # getent passwd username username:x:10000:600:User Name:/home/username:/bin/bash # getent -s ldap passwd username -> hangs Running strace against it shows that it gets stuck on a futex. This is the same with nss_ldap-239-r1 and nss_ldap-253. glibc-2.4-r4 with "nls nptl nptlonly". getent with '-s file' or '-s nis' work fine.
1. and plain 'getent password username' ? 2. what is your ssl configuration in /etc/ldap.conf?
(In reply to comment #1) > 1. and plain 'getent password username' ? > 2. what is your ssl configuration in /etc/ldap.conf? > 1. As shown in the original report, 'getent passwd username' works fine. 2. /etc/ldap.conf has 'ssl no'.
base-system/vapier: did something change in glibc's nss stuff again? getent -s ldap worked previously... Kevin Bryan: 1. please provide the contents of your /etc/ldap.conf here, exluding the comments in it. 2. if your uri/host lines uses a hostname, try with it in /etc/hosts, or try with an IP directly.
ldap.conf: host ldap1.domain.tld ldap2.domain.tld base dc=domain,dc=tld rootbinddn cn=nssldap,ou=DSA,dc=domain,dc=tld timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 nss_base_passwd dc=domain,dc=tld?sub nss_base_shadow dc=domain,dc=tld?sub nss_base_group ou=Groups,dc=domain,dc=tld?one ssl no sizelimit 0 pam_password md5 Adding ldap1.domain.tld and ldap3.domain.tld to /etc/hosts did not change the behavior, nor did replacing it with an IP. In both cases, strace shows it hanging on the futex.
no idea, i dont track nss stuff as i dont use it at all
I'm not sure which bug is the best to note this on, but I've added a post at robbat's blog that may help: http://robbat2.livejournal.com/199841.html Basically it concerns the problems with nss_ldap 249 and timeout weirdness.
Upstream bug: http://bugzilla.padl.com/show_bug.cgi?id=176 This is also responsible for Gentoo bug 147625. While the upstream bug has not seen much response from Luke Howard, here is my theory about the futex. If you do 'getent -s $SRC $TYPE', then /etc/nsswitch.conf is overridden, and $SRC is used instead. If you use a hostname for your LDAP server, this would mean that a circular loop exists, just as if you did 'getent -s ldap hosts', because regardless of what source you use, nss_ldap (via the ldap libraries) would be doing a hostname lookup to connect to the LDAP server. Test these two nsswitch.conf configurations: 1. passwd: files ldap host: files dns 2. passwd: files ldap host: files dns ldap 3. passwd: files ldap host: ldap files dns #1 and #2 should work. #3 should hang with the same futex. simishag: Your comment was incorrectly placed here. I responded to it on my blog.
1 corresponds to my setup, yet it still does not work. I tested it on several other machines that I have. Here's the results: nss_ldap-239-r1 works with both pam_ldap 180 and 183. neither nss_ldap-249 nor nss_ldap-253 work with pam_ldap 183.
I meant for you to test all 3 nsswitch.conf configurations that I posted. Command to test is 'getent passwd' (notice NO -s ldap on purpose).
Yes, it acts as you suspect. 1 and 2 work fine, and 3 stops on a futex.
vapier: ok, this proves there is a specific breakage in the genent application. State BEFORE: "getent -s $SRC $FOO" overrides nsswitch.conf for $FOO only, so that it would be the same as '$FOO: $SRC', but the other lines would be untouched. State AFTER: "getent -s $SRC $FOO" overrides ALL entries in nsswitch.conf, which is a problem as 'host: ldap' then has a circular loop in lookup (to connect to the LDAP server it needs to do the lookup, but for the lookup it needs to connect to LDAP). Specifically, gethostbyname() triggers the NSS lookup. This is NOT a recent breakage in glibc, so it's going to be hard to find. If you look at the upstream bug report, it was originally in debian's glibc-2.3.2.ds1-13.
(In reply to comment #11) > vapier: > ok, this proves there is a specific breakage in the genent application. > > State BEFORE: > "getent -s $SRC $FOO" overrides nsswitch.conf for $FOO only, so that it would > be the same as '$FOO: $SRC', but the other lines would be untouched. > > State AFTER: > "getent -s $SRC $FOO" overrides ALL entries in nsswitch.conf, which is a > problem as 'host: ldap' then has a circular loop in lookup (to connect to the > LDAP server it needs to do the lookup, but for the lookup it needs to connect > to LDAP). Specifically, gethostbyname() triggers the NSS lookup. Apparently it's not breakage, it's an "undocumented feature." No, seriously: getent -s passwd:ldap passwd username works fine. If you just do: getent -s ldap passwd username then the -s takes affect for all databases. Note that the getent --help (there is no man page) doesn't explain this. Had to pull open getent.c and read the parse_option code (in glibc-2.5, anyways, probably the same in all "affected" versions).
