lists.arthurdejong.org
RSS feed

nslcd: error writing to client broken pipe

[Date Prev][Date Next] [Thread Prev][Thread Next]

nslcd: error writing to client broken pipe



Hello, I am working with a Ubuntu 12.04 server, running nss-pam-ldapd 0.8.4. Under moderate network load (60-70 users), a number of errors start to pop up in logs and people have trouble authenticating to their samba shares. If I check on nslcd it returns that the service is still running, but running a getent passwd takes a very long time to list the users in ldap. 


Errors like this start to stack up in the syslog:
Aug 29 11:10:04 filesrv nslcd[17768]: [0463f1] <passwd="user1"> error writing to client: Broken pipe
Aug 29 11:10:16 filesrv nslcd[17768]: [294578] <passwd="user2"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [8c83ab] <passwd="user3"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [f19f38] <passwd="user4"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [e135e2] <passwd="user5"> error writing to client: Broken pipe
Aug 29 11:10:34 filesrv nslcd[17768]: [ef4674] <passwd="user6"> error writing to client: Broken pipe
Aug 29 11:10:37 filesrv nslcd[17768]: [8fa025] <passwd="user7"> error writing to client: Broken pipe
Aug 29 11:10:40 filesrv nslcd[17768]: [b37489] <passwd="user8"> error writing to client: Broken pipe
Aug 29 11:10:40 filesrv nslcd[17768]: [a75f95] <passwd="user9"> error writing to client: Broken pipe
Aug 29 11:10:43 filesrv nslcd[17768]: [daabd1] <passwd="user10"> error writing to client: Broken pipe

Also appearing at random intervals are the following message:
Aug 29 11:45:11 filesrv nslcd[18304]: [00529a] <group=11005> error writing to client: Broken pipe
Aug 29 11:45:11 filesrv nslcd[18304]: [05b331] <group=11005> error writing to client: Broken pipe

And I am seeing some errors that look like this:
Aug 29 12:05:53 filesrv nslcd[18304]: [becc2d] error reading from client: Connection reset by peer
Aug 29 12:05:53 filesrv nslcd[18304]: [c28c6e] error reading from client: Connection reset by peer

One morning following such an episode my logwatch log showed that nslcd had segfaulted.


The following is my nslcd  config in /etc/nslcd.conf
uid nslcd-user
gid nslcd-user

map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory

sasl_mech GSSAPI
sasl_realm MYCO.LOCAL
krb5_ccname /var/run/nslcd/nslcd.tkt

uri ldap://90.20.10.13/

base dc=myco,dc=local

uri ldap://90.20.10.14/



Output starting the daemon in debug:

nslcd: DEBUG: add_uri(ldap://90.20.10.13/)

nslcd: DEBUG: add_uri(ldap://90.20.10.14/)

nslcd: version 0.8.4 starting

nslcd: DEBUG: setgroups(0,NULL) done

nslcd: DEBUG: setgid(1000) done

nslcd: DEBUG: setuid(1000) done

nslcd: accepting connections

nslcd: [8b4567] DEBUG: connection from pid=15004 uid=0 gid=0

nslcd: [8b4567] <passwd=10062> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixAccount)(uidNumber=10062))")

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_initialize(ldap://90.20.10.13/)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://90.20.10.13/")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://myco.local/CN=Configuration,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_result(): end of results

nslcd: [7b23c6] DEBUG: connection from pid=15004 uid=0 gid=0

nslcd: [7b23c6] <group/member="user1"> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixAccount)(samAccountName=user1))")

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_initialize(ldap://90.20.10.13/)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_rebind_proc()

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://90.20.10.13/")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixGroup)(|(memberUid=user1)(member=CN=user1,OU=employees,OU=accounts,DC=myco,DC=local)))")

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://myco.local/CN=Configuration,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_result(): end of results




The following is the result of starting nslcd in debug:
Dependencies of nslcd:
ii  adduser                                     3.113ubuntu2                        add and remove users and groups
ii  debconf                                     1.5.42ubuntu1                       Debian configuration management system
ii  libc6                                       2.15-0ubuntu10.6                    Embedded GNU C Library: Shared libraries
ii  libgssapi-krb5-2                            1.10+dfsg~beta1-2ubuntu0.5          MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libldap-2.4-2                               2.4.28-1.1ubuntu4.4                 OpenLDAP libraries

Recommended:
ii  bind9-host           1:9.8.1.dfsg.P1-4ubu Version of 'host' bundled with BIND 9.X
ii  host                 1:9.8.1.dfsg.P1-4ubu Transitional package
ii  ldap-utils           2.4.28-1.1ubuntu4.4  OpenLDAP utilities
ii  libnss-ldapd         0.8.4ubuntu0.3       NSS module for using LDAP as a naming service
ii  libpam-ldapd         0.8.4ubuntu0.3       PAM module for using LDAP as an authentication service


We are using the k5start service to constantly renew credentials and are contacting active directory domain controllers as our ldap servers.  Any insight to the errors would be appreciated!  Also any improvements that can be made to the config or to improve communication with AD in general would be greatly appreciated.  Let me know if there is any additional info I should include.  Thanks!

If this is not the place to post such a question I apologize.

-nwhite

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/