my system is using a ldap server backend for user authentication (openldap, pam_ldap, nss_ldap)... the fact is, each time i start the server, mysql is started before openldap (certainly because of openldap mysql backend dependencies, not my case as i'm using ldbm backend). The system then tries to find the username "mysql" (service account) into ldap server ... but as server is not already started, it takes some times (until timeout) to finally fallback to standard /etc/passwd backend (where mysql user is)... The fact is mysql init script doesn't wait for the nss_ldap timeout to occurs ... and return with a "mysql NOT started" error. But in fact, mysql is already started ... finally once the boot part is complete i'm logging on my server, kill mysql process, and restart mysql (at this time, no problem as ldap server is already started)... Reproducible: Always Steps to Reproduce: 1.Have MySQL installed on a system using ldap backend (nss_ldap, pam_ldap) and having the ldap server on the same host 2.boot your server as usual 3.Error message: MySQL is not started Actual Results: Having an error message telling me mysql is not started, but in fact, mysql is already started, and is working ... but the init script is not able to see that... Expected Results: no error message, and mysql started as usual
your nsswitch.conf is broken. it MUST specify files before ldap, and the mysql user must exist in your local system, not just in LDAP.
it's a bit easy to tell me i did something wrong, and to close the bug without checking anything ... My nsswitch.conf file is not broken ...and contains what is needed: -- passwd: files ldap shadow: files ldap group: files ldap -- Moreover, i think you didn't read to the end ... I said "to finally fallback to standard /etc/passwd backend (where mysql user is)..." ... which means that the mysql user is not in the ldap directory but in the passwd file ... all service accounts are in passwd... I maybe did a misconfiguration ... but don't tell me i'm wrong without checking... cya
please provide: 1. emerge --info 2. /etc/nsswitch.conf 3. /etc/ldap.conf 4. /etc/slapd.conf 5. nss_ldap debug trace that shows exactly what users were looked up during boot.
emerge --info ------------- Portage 2.1.2.2 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 2.6.18-hardened-r6_sdb_bombastor i686) ================================================================= System uname: 2.6.18-hardened-r6_sdb_bombastor i686 AMD Athlon(tm) XP 2000+ Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 05 May 2007 10:20:01 +0000 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mtune=athlon-xp -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/chroot /etc /var/bind /var/www/localhost/error/include" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-mtune=athlon-xp -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ ftp://gentoo.imj.fr/pub/gentoo/ http://212.219.56.134/sites/www.ibiblio.org/gentoo/" LINGUAS="en" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="acl amuled apache2 async authdaemond automount bash-completion berkdb bzip2 chroot clamav cli cracklib crypt ctype cups curl diskio enscript expat fam ffmpeg filter foomaticdb ftp gd gdbm geoip gmp hardened iconv idn imagemagick imap ipv6 jpeg ldap libclamav lm_sensors math memlimit mfd-rewrites mhash midi mmx mysql mysqli nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh ncurses network nfs nls oav ogg openntpd pam pcre perl pic png posix ppds python quotas readline ruby samba sasl search sendmail session sftplogging simplexml snmp soap sockets spell spl sqlite ssl syslog tcpd theora threads tiff tokenizer tools truetype unicode unzip ups urandom usb vchroot vda vhosts vorbis x86 xattr xml xorg xsl xtended xvid zip zlib" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY /etc/nsswitch.conf ------------------ passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files /etc/ldap.conf -------------- uri ldaps://some.host.net/ suffix dc=domain,dc=local ldap_version 3 binddn uid=rouser,ou=system,dc=domain,dc=local bindpw somepass scope one pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password exop nss_base_passwd ou=users,dc=domain,dc=local nss_base_passwd ou=computers,dc=domain,dc=local nss_base_shadow ou=users,dc=domain,dc=local nss_base_group ou=groups,dc=domain,dc=local ssl on nss_reconnect_tries 4 # number of times to double the sleep time nss_reconnect_sleeptime 1 # initial sleep value nss_reconnect_maxsleeptime 16 # max sleep value to cap at nss_reconnect_maxconntries 2 # how many tries before sleeping /etc/openldap/slapd.conf ------------------------ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 256 TLSCACertificateFile /etc/openldap/ssl/soundbomb_ca.crt.pem TLSCertificateFile /etc/openldap/ssl/bombastor-ldap.crt.pem TLSCertificateKeyFile /etc/openldap/ssl/bombastor-ldap.key.pem database ldbm directory /var/lib/openldap-ldbm suffix "dc=domain,dc=local" rootdn "cn=adminopenldap,dc=domain,dc=local" rootpw {SSHA}somecryptedpasswd index objectClass eq index uid pres,eq,sub index uidNumber pres,eq index gidNumber pres,eq index memberUid pres,eq,sub index cn pres,eq,sub index sn pres,eq,sub index givenName pres,eq,sub index displayName pres,eq,sub index mail pres,eq,sub index sambaSID pres,eq index sambaPrimaryGroupSID pres,eq index sambaDomainName pres,eq access to attrs=userPassword,sambaLMPassword,sambaNTPassword by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by self write by anonymous auth by * none access to dn.exact="ou=users,dc=domain,dc=local" by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by dn="uid=rouser,ou=system,dc=domain,dc=local" read by users read by * none access to dn.regex="^(ou=[^,]+,)*ou=users,dc=domain,dc=local$" by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by dn="uid=rouser,ou=system,dc=domain,dc=local" read by users read by * none access to dn.regex="^uid=([^,]+),((ou=[^,]+,)*)ou=users,dc=domain,dc=local$" by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by dn="uid=rouser,ou=system,dc=domain,dc=local" read by dn.exact,expand="uid=$1,$2ou=users,dc=domain,dc=local" read by * none access to dn.regex="ou=address.book,uid=([^,]+),((ou=[^,]+,)*)ou=users,dc=domain,dc=local$" by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn.exact,expand="uid=$1,$2ou=users,dc=domain,dc=local" write by * none access to dn.regex="^.*,dc=domain,dc=local$" by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by dn="uid=rouser,ou=system,dc=domain,dc=local" read by * none access to * by dn="uid=adminuser,ou=users,dc=domain,dc=local" write by dn="uid=sambarwuser,ou=samba,ou=system,dc=domain,dc=local" write by dn="uid=rouser,ou=system,dc=domain,dc=local" read by users read by * none -- For the debug part of nss... i need to reboot the server, and that's not really possible right now ..; hope this will help cya:
ok, i've rebooted my server, but i don't anything really interesting about "5. nss_ldap debug trace that shows exactly what users were looked up during boot." Maybe i'm not doing stuffs the right way ... anyone can help ? cya
See the logdir and debug arguments as described in the nss_ldap manpage.
yeah ... thanks ! (ofcourse nss_ldap man page ... stupid me ! pfff) ;) i keep you informed as soon as i reboot the serveur (again) cya
ok ... server rebooted again ... i get one file related to my mysql process ...: ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 4 tm: 30 async: 0 ldap_ndelay_on: 4 ldap_is_sock_ready: 4 ldap_is_socket_ready: error on socket 4: errno: 111 (Connection refused) ldap_close_socket: 4 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_err2string ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://<host>/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP <host>:636 ldap_new_socket: 5 ldap_prepare_socket: 5 ldap_connect_to_host: Trying 10.1.1.1:636 ldap_connect_timeout: fd: 5 tm: 30 async: 0 ldap_ndelay_on: 5 ldap_is_sock_ready: 5 ldap_is_socket_ready: error on socket 5: errno: 111 (Connection refused) ldap_close_socket: 5 ldap_err2string ldap_unbind ldap_err2string that's it ... hope it'll helps... cya
Revisiting something in your original report that I think I missed. You said: "Having an error message telling me mysql is not started, but in fact, mysql is already started, and is working ... but the init script is not able to see that..." Which differs from your summary line. So it did actually start, and the script just ran again weirdly? If this is the case, could you also turn on RC_BOOTLOG (/etc/conf.d/rc)? Also try 5.0.40, there was a possibly related bugreport from the sparc folks.
indeed, i just realised that the "bug" title (ie summary line), is not really explicit ;) So yes, it is started actually, mysql process is running, and everything is fine, even if the mysql-init-script returns with a "MySQL not started"... I'll try the RC_BOOTLOG and 5.0.40, and i'll keep you informed. cya!
Go to 5.0.40 first, i'm 99.9% sure this is a dupe with a fix.
ok, first sorry for the delay ... so i go for 5.0.40 ... (as it's not marked as x86), and i just rebooted the server ... but the problem is still here ... any idea ? cya!
(In reply to comment #12) > ok, first sorry for the delay ... > > so i go for 5.0.40 ... (as it's not marked as x86), and i just rebooted the > server ... but the problem is still here ... > > any idea ? > > cya! > I can confirm the same problem. Mysqld starts before slapd and insists for looking the "mysql" group in the LDAP database if you have "ldap" on the "group:" line in /etc/nsswitch.conf. But because the LDAP server is not started, the lookup fails and the MySQL init script reports that mysqld does not start: * Starting mysql ... * Starting mysql (/etc/mysql/my.cnf) * MySQL NOT started (0) [ !! ] ... * Starting ldap-server ... [ ok ] But in actuality, the mysqld process is started and the MySQL service is working. # pstree init─┬─4*[agetty] ... ├─mysqld───8*[{mysqld}] ... This is for system start-up but the same thing happens after that if you stop the slapd server, stop the mysqld server and the start the mysqld server again: # /etc/init.d/mysql start * Starting mysql ... * Starting mysql (/etc/mysql/my.cnf) * MySQL NOT started (0) [ !! ] Again, the mysqld process is started: # pstree init─┬─4*[agetty] ... ├─mysqld───8*[{mysqld}] ... But... /etc/init.d/mysql stop * WARNING: mysql has not yet been started. If the slapd server is up and running, then mysqld starts with no problem: # /etc/init.d/mysql start * Starting mysql ... * Starting mysql (/etc/mysql/my.cnf) [ ok ] This is what I see in the slapd logs when mysqld starts: conn=6 op=2 SRCH base="<my.base>" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=mysql))" conn=6 op=2 SRCH attr=gidNumber So it looks for a "mysql" group in the LDAP database. That happens even if in /etc/ldap.conf I have: passwd: files ldap shadow files ldap group: files ldap So it should look for the data in the files first. To be sure, I changed it to: passwd: files ldap shadow files ldap group: files [SUCCESS=return] ldap [UNAVAIL=return] And still the same thing: if slapd is not started, mysqld start-up script reports error. # cat /etc/passwd | grep mysql mysql:x:60:60:added by portage for mysql:/dev/null:/sbin/nologin # cat /etc/group | grep mysql mysql:x:60: # cat /etc/shadow | grep mysql mysql:!:13578:0:99999:7::: So the "mysql" user and group exist in my files. In the light of these I'm starting to think that maybe there's a problem with nss_ldap or pam_ldap because even if I put group: files [SUCCESS=return] ldap [UNAVAIL=return] in /etc/nsswitch.conf, it's like anything but 'files' and 'ldap' is ignored. Because the above line is supposed to mean that if what it was looked for is found in the files, then the search should stop. But it doesn't and because slapd is not started then the mysqld start-up script gives the error although mysqld actually starts. On the other hand if I change in /etc/nsswitch.conf as following: passwd: files ldap shadow files ldap group: files then mysqld starts instantly without problems: # /etc/init.d/mysql start * Starting mysql ... * Starting mysql (/etc/mysql/my.cnf) [ ok ] A quick fix for system-startup is to modify /etc/init.d/mysql as following: depend() { after slapd # <= this line added use dns net localmount netmount nfsmount } But this does not solve the underlying problem of mysqld or mysqld startup script partially ignoring the configuration of /etc/nsswitch.conf.
Please use the new mysql-init-scripts. The conf.d/mysql will show you this an option.