Quoting Craig White <craigwhite@xxxxxxxxxxx>:
On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
Quoting Craig White <craigwhite@xxxxxxxxxxx>:
> On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
>> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
>> this problem.
>>
>> Hello, I'm seeing a weird problem that perhaps someone has run into
>> with groups.
>>
>> First, a little background.
>> I was made aware of a problem with CentOS 5 where if the nscd password
>> cache is clear and
>> someone tries to log in if there is no network connection with an LDAP
>> account that it
>> just hangs. Even worse, if the machine is rebooted and it continues
>> to have no network
>> connection, even root login doesn't work. I messed around with
>> nsswitch.conf to fix this
>> problem.
>>
>> I altered these lines as so:
>> passwd: files [!NOTFOUND=return] ldap
>> shadow: files [!NOTFOUND=return] ldap
>> group: files [!NOTFOUND=return] ldap
>>
>> and the problem seemed to go away.
>>
>> But now, here's the weird stuff:
>> I have defined in my local /etc/groups file this line:
>> group1:x:100:apache
>> group2:x:101:apache
>>
>> 'getent group groupname' shows the right info:
>> # getent group group1
>> group1:x:100:apache
>>
>> # sudo -u apache bash
>> $ groups
>> apache
>>
>> I revert back to my old config:
>> # sudo -u apache bash
>> $ groups
>> apache group1 group2
>>
>> Also, something else that's interesting. If I do this:
>> passwd: files [!NOTFOUND=return] ldap
>> shadow: files [!NOTFOUND=return] ldap
>> group: ldap [NOTFOUND=continue] files
>>
>> and reboot, udev segfaults and the system freezes up after a few
>> more seconds.
>> Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault
>> "$@" $ARGS
>> /sbin/start_udev: line 201: 523 Segmentation fault /sbin/udevd -d
>> Wait timeout. Will continue in the background.[FAILED]
>>
>> Any advice?
> ----
> Try putting this at the bottom of /etc/ldap.conf
>
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> nss_initgroups_ignoreusers root,ldap
>
> I wouldn't recommend the changes that you have in nsswitch.conf
Unfortunately, that doesn't work either.
I made the changes, shut down the machine and started it without
networking, and here's what happens:
login: root
Password:
login:
login pukes and init starts it again.
----
you shouldn't need to restart but if you can't login as root, you
probably still have something messed up in /etc/nsswitch.conf or may
have messed up /etc/passwd | /etc/shadow
can you login as a user and su - to root?
if not, it probably would be best to boot to runlevel 1 and
edit /etc/nsswitch.conf so it has this...
passwd: files ldap
shadow: files ldap
group: files ldap
and remove the NOTFOUND entries
Yes, done.
Without networking, still the login failure trouble.
With networking, no trouble at all, but with those timeouts of 30
seconds and without those changes to nsswitch.conf, it takes a while
for the first root login to succeed even though it is using local auth.
Craig
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
