Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Please see the URL that demonstrates the problem I am seeing. I have determined this to be nss_ldap from another user's post. Using nss_ldap-207-r1 adding users to groups that don't have 'domain' in them works fine. Other versions such as nss_ldap-238 and nss_ldap-226 do not work correctly (these are the only ones I have tested). For example, when a group is "full" (thats the way it seems) or screwed up (can't add anymore user's to the group with smbldap-tools), issue the command 'id lhart1' (lhart1 is a user that was already added in LDAP), it gives the follow error: acad1 ~ # id lhart1 id: io.c:171: ber_free_buf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed. uid=10214(lhart1) gid=505Aborted Other tools that use nss_ldap also act strange/don't work. 'net groupmap list' produces a segmentation fault in this condition; smbldap-useradd also gives a segmentation fault. I have verified things do work right with nss_ldap-207-r1.ebuild. Please see the URL that demonstrates the problem for more details. Reproducible: Always Steps to Reproduce: 1. Install Gentoo 2005.0; emerge samba, nss_ldap, pam_ldap, and all related packages for a Samba PDC w/ LDAP support. Setup a LDAP server. Configure Samba for PDC w/ LDAP, configure smbldap-tools. Use smbldap-populate to initially populate the LDAP tree. 2. Add a group w/ Samba mappings that doesn't have the word 'domain' in it, such as 'users'. 3. Create a script that adds a whole bunch of users: i.e, "smbldap_tools/smbldap-useradd -a -g users -c \"$Ofirst,$Olast,$studentnum\" -C '\\\\HOST\\homes\\$username' -d $homedir/$username -m $username" for a whole bunch of users -- ~20,000 4. Run your script, wait till you get about ~120 users (the other girl that had the same problem said she could only add 116 users before things started crapping out). 5. If you stop your script and remove the users just added; then change the primary group to something such as 'domain users', it will add all of the users without hesitation. Actual Results: nss_ldap crapped out... basically nothing LDAP related (anything that uses nss_ldap) works. Expected Results: Add all of the users. I am running a VMware virtual machine on ESX 2.5; the virtual machine has 256MB RAM, 4GB hard drive, BusLogic SCSI, PCnet/PCI II NIC. Please see the following posts for more information: http://lists.samba.org/archive/samba/2005-June/107603.html http://lists.samba.org/archive/samba/2005-June/107589.html http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-linux/2004-04/0034.html The only version that I have tried so far that works is nss_ldap-207-r1. I have updated the 238 version ebuild of nss_ldap to 239, but it has the same problem. Version 238 and 226 also do not work correctly.
I can't reproduce your problem in my setup, and I've never run into anything of the sort, and I used nss_ldap-238 (on production network). I've got 500+ users in active production on a LDAP server, incl Samba with PDC- LDAP. My 'users' group contains all 500+ users. The only difference is that I don't use smbldap-tools at all. If you wish to continue this bug, please attach your exact configuration files for everything you mentioned in #1. Additionally, if you can reproduce the error with a single command from a dump-snapshot of your LDAP tree, include the command and the LDAP tree dump-snapshot. When doing heavy adding work, I've found it can help greatly to DISABLE nscd, and NOT create the directories at all initially - just populate the LDAP database first, then re-enable NSCD, and create the home directories.
openldap is patched now. 2.1.30-r5 and 2.2.27-r1 have the patch. 2.1.30-r5 is the ebuild that should go stable. 2.2.27-r1 (and the 2.2 series in general) will be considered for stable in 30 days).
oops wrong bug.
please reopen with the required configuration files.
Created an attachment (id=62809) [details] dump of ldap tree
Created an attachment (id=62810) [details] slapd conf
Created an attachment (id=62811) [details] samba conf
Bug has not been resolved... Older versions of nss_ldap work fine, yet the newer version do not (please see first bug description). Also attached is my smb.conf and slapd.conf. NOTE: ldbm is shown as the backend in slapd.conf, yet I have also used bdb, and they both give them same results.
Also, I have tested nss_ldap version 215 and it works fine.
OK, I've also tried to replicate your problem. Now, I know that a few hundred users in groups works OK on my setup, but like Robin I don't use smbldap-tools. So I setup a test server, and added a few hundred with smbldap-tools, just like in your step-by-step, and had zero problems. Next, I used your slapd.conf (with a couple modifications, like dropping the local schema additions, and no loglevel), and imported your slapcat dump file. Now, nscd didn't like it, but once I shut down nscd it worked A-OK. BTW, what you described in your mail to the Samba list was NOT shutting down nscd. Samba has nothing to do with nscd; it's independent software. Commenting everything out in nscd.conf only makes it fall back to default values when restarted. You would disable nscd with "/etc/init.d/nscd stop" and prevent it from starting up on the next boot with "rc-update del nscd default".
Oh, I forgot to mention software versions. net-nds/openldap-2.2.26-r2 sys-auth/nss_ldap-226 smbldap-tools 0.9.0 sys-libs/glibc-2.3.4.20040808-r1 (qpkg reports that /usr/sbin/nscd comes from glibc)
I have discovered "--enable-rfc2307bis" configure option breaks nss_ldap. But something else must have changed throughout the nss_ldap history (that causes this problem) because version 215 of nss_ldap works for me, but it also has "--enable-rfc2307bis" in the ebuild. Also, the groups that screw up seem to be only ones that have a group name of 6, 7 or 8 characters. I have confirmed the same thing happens with nss_ldap-238 from PADL's site. Is there anyway I can compile nss_ldap with debugging support that spits all the info out to a file? I know its kind of a wierd bug, but I have reproduced it on 2 systems.
sorry about the lack of response. It does turn out to be an upstream nss_ldap bug, an obscure one. Please retest with the latest nss_ldap-249 that I just put in the tree, it should be fixed up.
please test the nss_ldap-250 that I just commited to ~arch. Upstream has changed some of the group stuff.
Marc: I'd appreciate responses on the bug rather than direct email. Could you try to add a lot of test users to see if it still occurs?
Hi Robin, I setup a new test VM and used nss_ldap-250. After adding about 1,200 users, this started happening: Error: h
Hi Robin, I setup a new test VM and used nss_ldap-250. After adding about 1,200 users, this started happening: Error: hµ at /usr/sbin//smbldap_tools.pm line 1005. Error: `hø³ at /usr/sbin//smbldap_tools.pm line 1005. This continues for every user its tries to add. I tried simply adding a user after the I killed my script: esdev2 log # /usr/sbin/smbldap-useradd -a -g 'students' -c "Ofirst,Olast,studentnum" -C '\\ESFREMONT\blah' -d /home/fac_staff/blah -m -N "Ofirst Olast" blah Error: hï¶ at /usr/sbin//smbldap_tools.pm line 1005. esdev2 log # So maybe it is now a problem with smbldap-tools? It did get a lot farther! =) Thank you very much for your time. --Marc
ok, upstream make some more fixes to the group stuff finally. please test nss_ldap-253. for what I can see, there were some lurking problems before, but anything further now will probably belong to samba.
This must be a problem with Samba and/or smbldap-tools now: esdev2 ~ # smbldap-useradd -a -g students blah Error:
This must be a problem with Samba and/or smbldap-tools now: esdev2 ~ # smbldap-useradd -a -g students blah Error: ¨hµ at /usr/sbin//smbldap_tools.pm line 1056. Thanks for your time and help!
marc: since this bug is quite long already, could you please open a new bug and assign it to the samba folk, or pursue it yourself upstream?
