[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Specific user accounts not available to system.

To: openldap-software@OpenLDAP.org
Subject: Re: Specific user accounts not available to system.
From: Caylan Van Larson <caylan@cs.und.edu>
Date: Wed, 19 Jun 2002 20:55:42 -0500 (CDT)
In-reply-to: <Pine.LNX.4.21.0206191337470.30664-100000@betamax.aero.und.edu>

I forgot to mention that this issue described below is not happening on a
fresh new system.  This is a seasoned machine, not having any ldap
problems before.  The symptoms showed up after 2 main events.

1. Migration of sendmail to betamax from a sun machine.
2. The migration above (1) created some unexpected "too many open
files" so actions to solve that (/dev/fs/... off top of head :) were
taken.
3. Unfortunately, the machine did have to be cold reset twice.

It is always possible that this machine is compromised (lkm rootkit,
*crosses fingers*).  This machine is destined for a complete
teardown-rebuild anyway, but for peace of mind I would really like to fix
this crappy problem so I can diagnose and fix in future.

Thanks again,


Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
caylan@cs.und.edu
701-777-6151 (work)

On Wed, 19 Jun 2002, Caylan Van Larson wrote:

> Hello,
> 
> For some reason, certain user accounts that exist in LDAP are not being
> recognized by the system.  I have done all that I can to remedy this, so
> now I turn to you.
> 
> We have about 5000 users in LDAP currently with about 100 user accounts
> not being accessed correctly from one of our servers.
> 
> There is a total of 8 servers.  6 Redhat (7.0-7.2) and 2 Sun Solaris
> 2.8.  There is no problem with the accounts what-so-ever on any of the
> machines except for one called betamax.  I mention this because I am
> confident that it is not the LDAP Directory itself causing errors which
> lies on 2 (primary,secondary) of our linux servers.
> 
> Betamax handles mail, web and samba.  It does not have user accounts
> locally but retreives that info via LDAP.  It is using the latest pam/nss
> modules from PADL.
> 
> By creating a /etc/passwd file with the needed user information (on hand
> luckily) we were able to restore functionality temporarily.  By adding the
> passwd file it seemed that the hickup of "seeing if accounts existed" was
> fixed.  However, this is only temporary.  Whenever the local passwd file
> is removed, it takes about 10 seconds for the command "id username" to
> return "no such user".
> 
> To fix this I have tried a multiple of things with no positive effect(s):
> 
> * Remove and re-add the affected user(s).
> * Upgrade to latest padl software.
> * Upgrade to latest openldap version.
> * truss/strace id and compare good w/ bad attempts.
> * Inspect logs/debug from slapd, (note: bad attempts with id never even
> get to slapd, which makes me think that nss is the culprit)
> * Turn off/on and reconfigure nscd
> * Export full ldif's to see any differences between good/bad user accounts.
> * Copy over a working ldap.conf
> * Changing the ldap server that it is connecting to, (to pinpoint
> connection problems or defunt db)
> 
> I seriously have no idea what to do.  If nothing else works I am going to
> tear down and rebuild this machine this or next weekend.
> 
> By the way: ldapsearch's return the user account information
> perfectly.  For instance, on betamax:
> 
> $id rkramer
> id: rkramer: no such user
> 
> $ldapsearch (uid=rkramer)
> .
> .
> . Full results for that entry in LDAP
> . (So he is there!!!!!!)
> .
> 
> Thanks for any help you may have,
> 
> :-D
> 
> cl
> 
> Caylan Van Larson
> Unix Administrator - Systems Team Member
> University of North Dakota (Aerospace College)
> caylan@cs.und.edu
> 701-777-6151 (work)
> 
>

References:
- Specific user accounts not available to system.
  - From: Caylan Van Larson <caylan@cs.und.edu>

Prev by Date: Re: ldapsearch vs. slapcat
Next by Date: Re: kerberos
Index(es):
- Chronological
- Thread