nslcd: error writing to client broken pipe

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Nathan White <njwhite777 [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: nslcd: error writing to client broken pipe
Date: Fri, 29 Aug 2014 17:54:01 -0400

Hello, I am working with a Ubuntu 12.04 server, running nss-pam-ldapd 0.8.4. Under moderate network load (60-70 users), a number of errors start to pop up in logs and people have trouble authenticating to their samba shares. If I check on nslcd it returns that the service is still running, but running a getent passwd takes a very long time to list the users in ldap.

Errors like this start to stack up in the syslog:
Aug 29 11:10:04 filesrv nslcd[17768]: [0463f1] <passwd="user1"> error writing to client: Broken pipe
Aug 29 11:10:16 filesrv nslcd[17768]: [294578] <passwd="user2"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [8c83ab] <passwd="user3"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [f19f38] <passwd="user4"> error writing to client: Broken pipe
Aug 29 11:10:22 filesrv nslcd[17768]: [e135e2] <passwd="user5"> error writing to client: Broken pipe
Aug 29 11:10:34 filesrv nslcd[17768]: [ef4674] <passwd="user6"> error writing to client: Broken pipe
Aug 29 11:10:37 filesrv nslcd[17768]: [8fa025] <passwd="user7"> error writing to client: Broken pipe
Aug 29 11:10:40 filesrv nslcd[17768]: [b37489] <passwd="user8"> error writing to client: Broken pipe
Aug 29 11:10:40 filesrv nslcd[17768]: [a75f95] <passwd="user9"> error writing to client: Broken pipe
Aug 29 11:10:43 filesrv nslcd[17768]: [daabd1] <passwd="user10"> error writing to client: Broken pipe

Also appearing at random intervals are the following message:
Aug 29 11:45:11 filesrv nslcd[18304]: [00529a] <group=11005> error writing to client: Broken pipe
Aug 29 11:45:11 filesrv nslcd[18304]: [05b331] <group=11005> error writing to client: Broken pipe

And I am seeing some errors that look like this:
Aug 29 12:05:53 filesrv nslcd[18304]: [becc2d] error reading from client: Connection reset by peer
Aug 29 12:05:53 filesrv nslcd[18304]: [c28c6e] error reading from client: Connection reset by peer

One morning following such an episode my logwatch log showed that nslcd had segfaulted.

The following is my nslcd config in /etc/nslcd.conf
uid nslcd-user
gid nslcd-user

map passwd uid samAccountName
map passwd homeDirectory unixHomeDirectory

sasl_mech GSSAPI
sasl_realm MYCO.LOCAL
krb5_ccname /var/run/nslcd/nslcd.tkt

uri ldap://90.20.10.13/

base dc=myco,dc=local

uri ldap://90.20.10.14/

Output starting the daemon in debug:

nslcd: DEBUG: add_uri(ldap://90.20.10.13/)

nslcd: DEBUG: add_uri(ldap://90.20.10.14/)

nslcd: version 0.8.4 starting

nslcd: DEBUG: setgroups(0,NULL) done

nslcd: DEBUG: setgid(1000) done

nslcd: DEBUG: setuid(1000) done

nslcd: accepting connections

nslcd: [8b4567] DEBUG: connection from pid=15004 uid=0 gid=0

nslcd: [8b4567] <passwd=10062> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixAccount)(uidNumber=10062))")

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_initialize(ldap://90.20.10.13/)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://90.20.10.13/")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to ldap://myco.local/CN=Configuration,DC=myco,DC=local

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local")

nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [8b4567] <passwd=10062> DEBUG: ldap_result(): end of results

nslcd: [7b23c6] DEBUG: connection from pid=15004 uid=0 gid=0

nslcd: [7b23c6] <group/member="user1"> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixAccount)(samAccountName=user1))")

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_initialize(ldap://90.20.10.13/)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_rebind_proc()

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://90.20.10.13/")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: myldap_search(base="dc=myco,dc=local", filter="(&(objectClass=posixGroup)(|(memberUid=user1)(member=CN=user1,OU=employees,OU=accounts,DC=myco,DC=local)))")

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to ldap://myco.local/CN=Configuration,DC=myco,DC=local

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local")

nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_result(): end of results

The following is the result of starting nslcd in debug:
Dependencies of nslcd:
ii adduser                                     3.113ubuntu2                        add and remove users and groups
ii debconf                                     1.5.42ubuntu1                       Debian configuration management system
ii libc6                                       2.15-0ubuntu10.6                    Embedded GNU C Library: Shared libraries
ii libgssapi-krb5-2                            1.10+dfsg~beta1-2ubuntu0.5          MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libldap-2.4-2                               2.4.28-1.1ubuntu4.4                 OpenLDAP libraries

Recommended:
ii bind9-host           1:9.8.1.dfsg.P1-4ubu Version of 'host' bundled with BIND 9.X
ii host                 1:9.8.1.dfsg.P1-4ubu Transitional package
ii ldap-utils           2.4.28-1.1ubuntu4.4 OpenLDAP utilities
ii libnss-ldapd         0.8.4ubuntu0.3       NSS module for using LDAP as a naming service
ii libpam-ldapd         0.8.4ubuntu0.3       PAM module for using LDAP as an authentication service

We are using the k5start service to constantly renew credentials and are contacting active directory domain controllers as our ldap servers. Any insight to the errors would be appreciated! Also any improvements that can be made to the config or to improve communication with AD in general would be greatly appreciated. Let me know if there is any additional info I should include. Thanks!

If this is not the place to post such a question I apologize.

-nwhite

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nslcd: error writing to client broken pipe, Nathan White

Re: nslcd: error writing to client broken pipe, Berend De Schouwer

Prev by Date: [PATCH] don't log "No such object" errors when a user is not found
Next by Date: Re: nslcd: error writing to client broken pipe
Previous by thread: Re: [PATCH] don't log "No such object" errors when a user is not found
Next by thread: Re: nslcd: error writing to client broken pipe