Quoting Craig White <craigwhite@xxxxxxxxxxx>:
On Wed, 2008-08-27 at 17:07 -0400, Mark Hennessy wrote:
Quoting Craig White <craigwhite@xxxxxxxxxxx>:
> On Wed, 2008-08-27 at 14:53 -0400, Mark Hennessy wrote:
>> Quoting Craig White <craigwhite@xxxxxxxxxxx>:
>>
>> > On Wed, 2008-08-27 at 12:34 -0400, Mark Hennessy wrote:
>> >> I'm using CentOS 5.0,5.1, and 5.2 on several systems where I'm seeing
>> >> this problem.
>> >>
>> >> Hello, I'm seeing a weird problem that perhaps someone has run into
>> >> with groups.
>> >>
>> >> First, a little background.
>> >> I was made aware of a problem with CentOS 5 where if the nscd password
>> >> cache is clear and
>> >> someone tries to log in if there is no network connection with an LDAP
>> >> account that it
>> >> just hangs. Even worse, if the machine is rebooted and it continues
>> >> to have no network
>> >> connection, even root login doesn't work. I messed around with
>> >> nsswitch.conf to fix this
>> >> problem.
>> >>
>> >> I altered these lines as so:
>> >> passwd: files [!NOTFOUND=return] ldap
>> >> shadow: files [!NOTFOUND=return] ldap
>> >> group: files [!NOTFOUND=return] ldap
>> >>
>> >> and the problem seemed to go away.
>> >>
>> >> But now, here's the weird stuff:
>> >> I have defined in my local /etc/groups file this line:
>> >> group1:x:100:apache
>> >> group2:x:101:apache
>> >>
>> >> 'getent group groupname' shows the right info:
>> >> # getent group group1
>> >> group1:x:100:apache
>> >>
>> >> # sudo -u apache bash
>> >> $ groups
>> >> apache
>> >>
>> >> I revert back to my old config:
>> >> # sudo -u apache bash
>> >> $ groups
>> >> apache group1 group2
>> >>
>> >> Also, something else that's interesting. If I do this:
>> >> passwd: files [!NOTFOUND=return] ldap
>> >> shadow: files [!NOTFOUND=return] ldap
>> >> group: ldap [NOTFOUND=continue] files
>> >>
>> >> and reboot, udev segfaults and the system freezes up after a few
>> >> more seconds.
>> >> Starting udev: /sbin/start_udev: line 43: 519 Segmentation fault
>> >> "$@" $ARGS
>> >> /sbin/start_udev: line 201: 523 Segmentation fault
/sbin/udevd -d
>> >> Wait timeout. Will continue in the background.[FAILED]
>> >>
>> >> Any advice?
>> > ----
>> > Try putting this at the bottom of /etc/ldap.conf
>> >
>> > timelimit 30
>> > bind_timelimit 30
>> > bind_policy soft
>> > nss_initgroups_ignoreusers root,ldap
>> >
>> > I wouldn't recommend the changes that you have in nsswitch.conf
>>
>> Unfortunately, that doesn't work either.
>> I made the changes, shut down the machine and started it without
>> networking, and here's what happens:
>>
>> login: root
>> Password:
>>
>> login:
>>
>> login pukes and init starts it again.
> ----
> you shouldn't need to restart but if you can't login as root, you
> probably still have something messed up in /etc/nsswitch.conf or may
> have messed up /etc/passwd | /etc/shadow
>
> can you login as a user and su - to root?
>
> if not, it probably would be best to boot to runlevel 1 and
> edit /etc/nsswitch.conf so it has this...
>
> passwd: files ldap
> shadow: files ldap
> group: files ldap
>
> and remove the NOTFOUND entries
Yes, done.
Without networking, still the login failure trouble.
With networking, no trouble at all, but with those timeouts of 30
seconds and without those changes to nsswitch.conf, it takes a while
for the first root login to succeed even though it is using local auth.
----
do you have this line in /etc/pam.d/system-auth
account sufficient pam_localuser.so
???
What does your /etc/pam.d/system-auth look like?
my /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass debug
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok debug
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so debug
session required pam_mkhomedir.so skel=/etc/skel umask=0022
===
I added
account sufficient pam_localuser.so
right before pam_ldap in the account section and tried again with the
same procedure (turn off networking (chkconfig --levels 2345 network
off), reboot).
Same result, login dies and gets restarted.
login: root
Password:
login:
Craig
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
