Re: ls hangs in internal-sftp for LDAP users + numeric uid/gid instead of names

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Le 12/05/2017 à 14:03, Alexander Wuerstlein a écrit :
> On 2017-05-12T13:49, mh@xxxxxxx <mh@xxxxxxx> wrote:
>> Le 12/05/2017 à 12:47, Alexander Wuerstlein a écrit :
>>> On 2017-05-12T12:07, mh@xxxxxxx <mh@xxxxxxx> wrote:
>>>> I'm using 7.2p2-4ubuntu2.1
>>>>
>>>> I have the same exact problem as described in the first comment in
>>>> https://bugzilla.mindrot.org/show_bug.cgi?id=1573
>>>>
>>>> Initially, my ldap server hostname and IP is only in /etc/hosts, not in
>>>> the configured resolver. I can't use the real IP as a workaround in
>>>> ldap.conf because of the TLS configuration which cares about the hostname.
>>>>
>>>> At the time I add the host name and IP in the resolver, the issue goes away.
>>>>
>>>> So, I'm a bit worried to be forced to declare a record in my DNS to
>>>> enable SFTP listing ? There should be another way isn't ?
>>>>
>>>> I also tried to copy /etc/hosts to etc/hosts in the folder specified by
>>>> ChrootDirectory directive with no more success.
>>>>
>>>> Notice : it happens only for ldap users, not local users
>>>
>>> There should be a /etc/nsswitch.conf in your chroot where you can
>>> configure where users and hostnames should be looked up. E.g. to prevent
>>> LDAP lookups altogether you could configure the respective two lines to
>>> read:
>>> passwd:		files
>>> group:		files
>>> i.e. drop the 'ldap' option there. To check why /etc/hosts isn't being
>>> used you can look if hosts: has 'files dns' or just 'dns' altogether
>>> behind it.
>>>
>>> But in general I would recommend putting all your hostnames into DNS
>>> properly, in my experience this avoids all kinds of headaches with all
>>> kinds of software. And leave /etc/hosts as empty as possible, because
>>> that always grows inconsistent over time.
>>>
>>>
>>
>> Thanks Alexander,
>>
>> I'll try the nsswitch.conf suggestion. Until then I've noticed the
>> following : while the ldap hostname is into the DNS, if I also put a the
>> corresponding line to etc/hosts in the chroot the hang happens again. So
>> the hosts file in the chroot is red somehow.
> 
> It shouldn't hang in that case, thats strange. However, the order of the
> options in nsswitch.conf determines which way to look up the hostname is
> tried first, second, ... etc. One thing that might be a problem (but I'm
> guessing, there might be a lot more going on[0]) would be whether you have
> just the hostname or the FQDN in your ldap.conf and /etc/hosts. And if
> its not the FQDN in some place, then what your search path in
> /etc/resolv.conf and the value of your dnsdomainname might be. 


I currently have in nsswitch.conf, in the etc folder inside the sftp's
chroot (/srv/ftpchroot/etc) :

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files dns


Since I've update my DNS and switched to libnss-ldapd I can't reproduce
the hang so I'm unsure what was the cause...

However, I get uid/gid numbers instead of names within sftp session (ls
-l) ? I don't know if it's new but I would definitively prefer names...

> 
>> But if it reads the hosts file propertly, what is the problem then ?
> 
> I'm not sure. Maybe try determining if its a ssh/sftp problem first: In
> that chroot, does 'getent passwd' hang? Does it contain only local users
> or ldap users as well? Does 'getent hosts $ldaphostname' hang? If yes,
> its a problem with the libc name services that are behind getent and
> stuff, so you would have to fix the config (in nsswitch.conf and all the
> related things referenced from there). strace-ing the aforementioned
> getent calls might help narrowing things further down.

I'll try to determine this if needed if I bump into the issue again.


Q: How do you mean to run getent in the sftp chroot ? you mean from the
shell ? I would need to copy a bunch of binary/lib files to achieve that
I guess.

(I'm not even sure that the files I put in /srv/ftpchroot/etc are read
in some way)

Regards,
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux