FW: LDAP Problem

Anton Blajev - Valqk valqk at lozenetz.org
Wed Oct 8 19:06:55 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Joseph,
I've resolved this problem for myself by changind the order of lookups  :
$>cat /etc/nsswitch.conf
group: pgsql files
passwd: pgsql files
....
but it'd be a good idea to compile add the ncsd (nis caching daemon).
then the file will look like this

group: cache files pgsql
etc...

as far as I looked at the code I think the problem is that there is no
failback when doing login_get_lastlog on other nis records but I've
found solution for me and I prefer not to patch the code (hope it gets
in stable releases sooner or later)


cheers,
valqk.

Gigliotti, Joseph wrote:
> Hi Anton, saw your post "login_get_lastlog - nss enviornment - works in
> shell env, doesn't work"
> _http://securepoint.com/lists/html/OpenSSH/2007-01/msg00017.html_
>  
> We are having similar problems from an RedHat v3 host when we try and
> ssh, su etc. to it. The host is configured to authenticate against an
> LDAP directory and it hangs for 4 minutes and then logs out with the
> error message "fatal: login_get_lastlog: Cannot find account for uid
> 232135350" in the syslogs.
>  
> Do you have any knowledge of this problem please?
>  
>  
> Regards
> Joseph Gigliotti
> IT Domain Specialist
> Identity Solutions, Telstra Operations
> Tel: (03) 9634 2436 / 0407 862 934
> _http://www.in.telstra.com.au/ism/identitymanagementsolutioncentre/_
> This communication may contain CONFIDENTIAL or copyright information of
> Telstra Corporation Limited (ABN 33 051 775 556). If you are not an
> intended recipient, you MUST NOT keep, forward, copy, use, save or rely
> on this communication, and any such action is unauthorised and
> prohibited. If you have received this communication in error, please
> reply to this e-mail to notify the sender of its incorrect delivery, and
> then delete both it and your reply. Thank you
>  
>  
> ______________________________________________
> *From:    *Clemens, Ross W 
> *Sent:   *Wednesday, 8 October 2008 11:53 AM
> *To:     *Gigliotti, Joseph; Penjin, Jovan; Budavari, Raymond
> *Subject:        *LDAP Problem
>  
> Hi!
>  
> Further to previous email on the same subject, please find below further
> investigation.
>  
> I have two nearly identical Red Hat host.  I say nearly identical
> because although the LDAP rpms, ldap configuration and os kernel are the
> same there is obviously some difference that is preventing me from
> logging into one of the hosts using ldap.
>  
> The faulty host will not allow me to login from the console, ssh or su
> to an eAAA user.  From the syslog event it would appear that the ldap
> password was accepted but the session was closed after a delay of four
> minutes with the error that uid of 23213530 could not be found.  The uid
> of 23213530 is mine and is valid.  A copy of the syslog output is shown
> below.
>  
> Oct  8 09:39:54 wpm3 sshd[23426]: Accepted password for b321353 from
> 172.17.9.15 port 971 ssh2
> Oct  8 09:39:54 wpm3 sshd(pam_unix)[23439]: session opened for user
> b321353 by (uid=0)
> Oct  8 09:43:55 wpm3 sshd[23439]: fatal: login_get_lastlog: Cannot find
> account for uid 232135350
> Oct  8 09:43:55 wpm3 sshd(pam_unix)[23439]: session closed for user b321353
>  
> I confirmed that ldap was working by running ldapsearch - see below
>  
> HVS2_[root at wpm3 root]# *ldapsearch* -D
> "cn=proxyagent,ou=profile,ou=msg,dc=AAA,dc=telstra,dc=com" -W -h
> ssino04.msg.in.telstra.com.au -x -b
> "ou=people,ou=msg,dc=AAA,dc=telstra,dc=com" "uid=b321353"
> Enter LDAP Password:
> version: 2
>  
> #
> # filter: uid=b321353
> # requesting: ALL
> #
>  
> # b321353, People, msg, AAA, telstra, com
> dn: uid=b321353,ou=People,ou=msg,dc=AAA,dc=telstra,dc=com
> userPassword::
> e1NTSEF9SytrejFDNDlVYXJFQmJXYW9aY0FsNFYwdnZ0WWRHcEp4REtaR1E9PQ=
> =
> homeDirectory: /export/home/msggrp3
> givenName: Ross
> sn: Clemens
> loginShell: /bin/bash
> gidNumber: 1000
> uidNumber: 232135350
> mail: Ross.W.Clemens at team.telstra.com
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> uid: b321353
> gecos: Ross Clemens (02) 8255 2555
> cn: b321353
> employeeNumber: 23213535
>  
> # search result
> search: 2
> result: 0 Success
>  
> # numResponses: 2
> # numEntries: 1
>  
>  
> I search the internet to find more details re the error message:  fatal:
> login_get_lastlog: Cannot find account for uid 232135350
> I came to the conclusion, from looking at openssh code that this error
> is generated if getpwuid() returns a null
>  
> I wrote a simple program that prints the output from getpwuid and
> compiled it on a development host.  I ran it on the host in question and
> it produced a valid ouput - i.e not null
>  
> HVS2_[root at wpm3 msggrp3]# ./*getuid.out *232135350
> Login Name: b321353  User ID: 232135350 Group ID: 1000
>  
> *Help Required*
> I've exhausted all my leads although there was some talk that the length
> (9-digits) of the uid may cause this error.  If you are unable to assist
> can we raise a case witn Red Hat to investigate?
>  
>  
> Regards,
> Ross
> Tel: (02) 8255 2555
>  
>  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjsah8ACgkQzpU6eaWiiWgocwCfcu4AN+PVg9EqAXURIkXgqYYe
34UAniB8UPRa/Y20VfpqRMyZViHXzG5x
=IfgV
-----END PGP SIGNATURE-----

More information about the openssh-unix-dev mailing list