[Date Prev][Date Next]
Re: Specific user accounts not available to system.
I forgot to mention that this issue described below is not happening on a
fresh new system. This is a seasoned machine, not having any ldap
problems before. The symptoms showed up after 2 main events.
1. Migration of sendmail to betamax from a sun machine.
2. The migration above (1) created some unexpected "too many open
files" so actions to solve that (/dev/fs/... off top of head :) were
3. Unfortunately, the machine did have to be cold reset twice.
It is always possible that this machine is compromised (lkm rootkit,
*crosses fingers*). This machine is destined for a complete
teardown-rebuild anyway, but for peace of mind I would really like to fix
this crappy problem so I can diagnose and fix in future.
Caylan Van Larson
Unix Administrator - Systems Team Member
University of North Dakota (Aerospace College)
On Wed, 19 Jun 2002, Caylan Van Larson wrote:
> For some reason, certain user accounts that exist in LDAP are not being
> recognized by the system. I have done all that I can to remedy this, so
> now I turn to you.
> We have about 5000 users in LDAP currently with about 100 user accounts
> not being accessed correctly from one of our servers.
> There is a total of 8 servers. 6 Redhat (7.0-7.2) and 2 Sun Solaris
> 2.8. There is no problem with the accounts what-so-ever on any of the
> machines except for one called betamax. I mention this because I am
> confident that it is not the LDAP Directory itself causing errors which
> lies on 2 (primary,secondary) of our linux servers.
> Betamax handles mail, web and samba. It does not have user accounts
> locally but retreives that info via LDAP. It is using the latest pam/nss
> modules from PADL.
> By creating a /etc/passwd file with the needed user information (on hand
> luckily) we were able to restore functionality temporarily. By adding the
> passwd file it seemed that the hickup of "seeing if accounts existed" was
> fixed. However, this is only temporary. Whenever the local passwd file
> is removed, it takes about 10 seconds for the command "id username" to
> return "no such user".
> To fix this I have tried a multiple of things with no positive effect(s):
> * Remove and re-add the affected user(s).
> * Upgrade to latest padl software.
> * Upgrade to latest openldap version.
> * truss/strace id and compare good w/ bad attempts.
> * Inspect logs/debug from slapd, (note: bad attempts with id never even
> get to slapd, which makes me think that nss is the culprit)
> * Turn off/on and reconfigure nscd
> * Export full ldif's to see any differences between good/bad user accounts.
> * Copy over a working ldap.conf
> * Changing the ldap server that it is connecting to, (to pinpoint
> connection problems or defunt db)
> I seriously have no idea what to do. If nothing else works I am going to
> tear down and rebuild this machine this or next weekend.
> By the way: ldapsearch's return the user account information
> perfectly. For instance, on betamax:
> $id rkramer
> id: rkramer: no such user
> $ldapsearch (uid=rkramer)
> . Full results for that entry in LDAP
> . (So he is there!!!!!!)
> Thanks for any help you may have,
> Caylan Van Larson
> Unix Administrator - Systems Team Member
> University of North Dakota (Aerospace College)
> 701-777-6151 (work)