lists.arthurdejong.org
RSS feed

Re: Upgrade from 0.7 to 0.8 having auth problems

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Upgrade from 0.7 to 0.8 having auth problems



On Tue, 2012-11-20 at 15:03 -0600, Andy Colson wrote:
> Its a test account, the password is 'bob' :-)  here are a bunch of logs:

There are some weird things going on somewhere. First nslcd shows two
requests:

> nslcd: [8b4567] DEBUG: connection from pid=24368 uid=0 gid=100
> nslcd: [8b4567] <passwd=-1> DEBUG: 
> myldap_search(base="ou=users,dc=camavision,dc=com", 
> filter="(&(memberOf=cn=mapper,ou=groups,dc=camavision,dc=com)(uidNumber=-1))")
[...]
> nslcd: [7b23c6] DEBUG: connection from pid=24368 uid=0 gid=100
> nslcd: [7b23c6] <passwd="andyc"> DEBUG: 
> myldap_search(base="ou=users,dc=camavision,dc=com", 
> filter="(&(memberOf=cn=mapper,ou=groups,dc=camavision,dc=com)(uid=andyc))")

while the NSS module seems to do three requests (the second of which is
ignored) (a little cleaned up):

> connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\352\3\0\0\377\377\377\377", 12, MSG_NOSIGNAL, NULL, 0) = 
> 12
> read(3, "\1\0\0\0\352\3\0\0\3\0\0\0", 1024) = 12
> close(3)                                = 0
[...]
> connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\321\7\0\0\4\0\0\0andy", 16, MSG_NOSIGNAL, NULL, 0) = 16
> read(3, "", 1024)                       = 0
> close(3)                                = 0
[...]
> connect(3, {sa_family=AF_FILE, path="/var/run/nslcd/socket"}, 23) = 0
> sendto(3, "\1\0\0\0\351\3\0\0\5\0\0\0andyc", 17, MSG_NOSIGNAL, NULL, 0) = 17
> read(3, "\1\0\0\0\351\3\0\0\0\0\0\0\5\0\0\0andyc\1\0\0\0*\350\3\0\0d\0"..., 
> 1024) = 80
> read(3, "", 1024)                       = 0
> close(3)                                = 0

The weird thing about the second request is that it is a shadow request
for user "andy" (missing the c) which for some reason doesn't show up in
nslcd.

Another interesting bit from the strace is:
open("/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

If you are not running su under strace, does nslcd show the shadow
lookup? Did the strace output and nslcd debug output match the same try?

A wild guess, but could you try nss-pam-ldapd 0.8.10?

Lastly is the user andy or andyc in /etc/passwd or /etc/shadow?

I'll have another look tomorrow.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/