Root denied login if networking down
[Date Prev][Date Next] [Thread Prev][Thread Next]Root denied login if networking down
- From: Tiago Cruz <tiago.tuxkiller [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Root denied login if networking down
- Date: Wed, 26 Feb 2014 20:46:01 -0300
Hello guys!
I would like to know why I can't login as root (ssh, sudo or su -) when my LDAP is down or when I have some outage in my network.
How to reproduce the problem:
So, my questions are:
- Why I can't get the shell to work?
- Why 'su -' tries to connect on LDAP even to become root, even with 'nss_initgroups_ignoreusers root' in my ldap.conf?
I would like to know why I can't login as root (ssh, sudo or su -) when my LDAP is down or when I have some outage in my network.
How to reproduce the problem:
- Just change your DNS to something that does not work (example: nameserver 100.0.2.2)
1-) Try to login using ssh as root (yes, I know this is ugly!)
The /var/log/secure says:
Feb 26 18:45:39 vmcentos5 sshd[6311]: Accepted password for root from 10.0.2.2 port 59717 ssh2
Feb 26 18:46:19 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls failed:stat=-1
Feb 26 18:46:59 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls failed:stat=-1
Feb 26 18:46:59 vmcentos5 sshd[6311]: nss_ldap: could not search LDAP server - Server is unavailable
But you can't get the prompt to work.
The /var/log/secure says:
Feb 26 18:45:39 vmcentos5 sshd[6311]: Accepted password for root from 10.0.2.2 port 59717 ssh2
Feb 26 18:46:19 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls failed:stat=-1
Feb 26 18:46:59 vmcentos5 sshd[6311]: nss-ldap: do_open: do_start_tls failed:stat=-1
Feb 26 18:46:59 vmcentos5 sshd[6311]: nss_ldap: could not search LDAP server - Server is unavailable
But you can't get the prompt to work.
2-) Try to login using "su -", enable debug and you'll see:
[tiago.cruz@vmcentos5 ~]$ su -
ldap_create
ldap_url_parse_ext(ldap://ldap.dc1.com)
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.dc1.com:389
ldap_connect_to_host: getaddrinfo failed: Temporary failure in name resolution
ldap_unbind
ldap_create
ldap_url_parse_ext(ldap://ldap.dc2.com)
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.dc2.com:389
ldap_connect_to_host: getaddrinfo failed: Temporary failure in name resolution
ldap_unbind
ldap_err2string
ldap_msgfree
So, my questions are:
- Why I can't get the shell to work?
- Why 'su -' tries to connect on LDAP even to become root, even with 'nss_initgroups_ignoreusers root' in my ldap.conf?
- How completly ignore LDAP when I can't reach any of them?
I suspect something is missing in my pam configuration, that's why I'm asking here :) Hope I'm the correct list!
Thanks!
--
-- Tiago Cruz
--
-- Tiago Cruz
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Root denied login if networking down, Tiago Cruz
- Re: Root denied login if networking down,
Arthur de Jong
- Re: Root denied login if networking down, Tiago Cruz
- Prev by Date: Re: Round-robin LDAP
- Next by Date: Re: Root denied login if networking down
- Previous by thread: Re: Round-robin LDAP
- Next by thread: Re: Root denied login if networking down