Re: nslcd: error writing to client broken pipe

[Berend De Schouwer <berend [at] deschouwer.co.za>]

0.8.4 is old, so I would suggest upgrading to 0.8.14 or the 0.9.x 
series.  We have experienced crashes on old(er) nslcds.

My only experience with slow getent was due to an overloaded LDAP 
server.  Creating extra indexes on the LDAP server fixed that problem.  
That was an OpenLDAP server, and CPU usage was low, but I/O usage was 
high.  Hence getent was slow.

Employing an additional cache like nsscache for reverse lookups 
(id->name) vs. (name->id) in /etc/nsswitch.conf might reduce the amount 
of LDAP lookups.  Keep lookups local if possible.  This can be a good 
choice if you don't delete users every 5 minutes.


On Fri, 29 Aug, 2014 at 11:54 , Nathan White <njwhite777@gmail.com> 
wrote:
> Hello, I am working with a Ubuntu 12.04 server, running nss-pam-ldapd 
> 0.8.4. Under moderate network load (60-70 users), a number of errors 
> start to pop up in logs and people have trouble authenticating to 
> their samba shares. If I check on nslcd it returns that the service 
> is still running, but running a getent passwd takes a very long time 
> to list the users in ldap.
>
>
> Errors like this start to stack up in the syslog:
> Aug 29 11:10:04 filesrv nslcd[17768]: [0463f1] <passwd="user1"> error 
> writing to client: Broken pipe
> Aug 29 11:10:16 filesrv nslcd[17768]: [294578] <passwd="user2"> error 
> writing to client: Broken pipe
> Aug 29 11:10:22 filesrv nslcd[17768]: [8c83ab] <passwd="user3"> error 
> writing to client: Broken pipe
> Aug 29 11:10:22 filesrv nslcd[17768]: [f19f38] <passwd="user4"> error 
> writing to client: Broken pipe
> Aug 29 11:10:22 filesrv nslcd[17768]: [e135e2] <passwd="user5"> error 
> writing to client: Broken pipe
> Aug 29 11:10:34 filesrv nslcd[17768]: [ef4674] <passwd="user6"> error 
> writing to client: Broken pipe
> Aug 29 11:10:37 filesrv nslcd[17768]: [8fa025] <passwd="user7"> error 
> writing to client: Broken pipe
> Aug 29 11:10:40 filesrv nslcd[17768]: [b37489] <passwd="user8"> error 
> writing to client: Broken pipe
> Aug 29 11:10:40 filesrv nslcd[17768]: [a75f95] <passwd="user9"> error 
> writing to client: Broken pipe
> Aug 29 11:10:43 filesrv nslcd[17768]: [daabd1] <passwd="user10"> 
> error writing to client: Broken pipe
>
> Also appearing at random intervals are the following message:
> Aug 29 11:45:11 filesrv nslcd[18304]: [00529a] <group=11005> error 
> writing to client: Broken pipe
> Aug 29 11:45:11 filesrv nslcd[18304]: [05b331] <group=11005> error 
> writing to client: Broken pipe
>
> And I am seeing some errors that look like this:
> Aug 29 12:05:53 filesrv nslcd[18304]: [becc2d] error reading from 
> client: Connection reset by peer
> Aug 29 12:05:53 filesrv nslcd[18304]: [c28c6e] error reading from 
> client: Connection reset by peer
>
> One morning following such an episode my logwatch log showed that 
> nslcd had segfaulted.
>
>
> The following is my nslcd  config in /etc/nslcd.conf
> uid nslcd-user
> gid nslcd-user
>
> map passwd uid samAccountName
> map passwd homeDirectory unixHomeDirectory
>
> sasl_mech GSSAPI
> sasl_realm MYCO.LOCAL
> krb5_ccname /var/run/nslcd/nslcd.tkt
>
> uri ldap://90.20.10.13/
>
> base dc=myco,dc=local
>
> uri ldap://90.20.10.14/
>
>
>
> Output starting the daemon in debug:
> nslcd: DEBUG: add_uri(ldap://90.20.10.13/)
> nslcd: DEBUG: add_uri(ldap://90.20.10.14/)
> nslcd: version 0.8.4 starting
> nslcd: DEBUG: setgroups(0,NULL) done
> nslcd: DEBUG: setgid(1000) done
> nslcd: DEBUG: setuid(1000) done
> nslcd: accepting connections
> nslcd: [8b4567] DEBUG: connection from pid=15004 uid=0 gid=0
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> myldap_search(base="dc=myco,dc=local", 
> filter="(&(objectClass=posixAccount)(uidNumber=10062))")
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_initialize(ldap://90.20.10.13/)
> nslcd: [8b4567] <passwd=10062> DEBUG: ldap_set_rebind_proc()
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://90.20.10.13/";)
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to 
> ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local";)
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to 
> ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local";)
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: rebinding to 
> ldap://myco.local/CN=Configuration,DC=myco,DC=local
> nslcd: [8b4567] <passwd=10062> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local";)
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: do_sasl_interact(): were asked 
> for sasl_authzid but we don't have any
> nslcd: [8b4567] <passwd=10062> DEBUG: ldap_result(): end of results
> nslcd: [7b23c6] DEBUG: connection from pid=15004 uid=0 gid=0
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> myldap_search(base="dc=myco,dc=local", 
> filter="(&(objectClass=posixAccount)(samAccountName=user1))")
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_initialize(ldap://90.20.10.13/)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_set_rebind_proc()
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_DEREF,0)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMELIMIT,0)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_TIMEOUT,0)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://90.20.10.13/";)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> myldap_search(base="dc=myco,dc=local", 
> filter="(&(objectClass=posixGroup)(|(memberUid=user1)(member=CN=user1,OU=employees,OU=accounts,DC=myco,DC=local)))")
> nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to 
> ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://ForestDnsZones.myco.local/DC=ForestDnsZones,DC=myco,DC=local";)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to 
> ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://DomainDnsZones.myco.local/DC=DomainDnsZones,DC=myco,DC=local";)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: rebinding to 
> ldap://myco.local/CN=Configuration,DC=myco,DC=local
> nslcd: [7b23c6] <group/member="user1"> DEBUG: 
> ldap_sasl_interactive_bind_s(NULL,"GSSAPI") 
> (uri="ldap://myco.local/CN=Configuration,DC=myco,DC=local";)
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: do_sasl_interact(): 
> were asked for sasl_authzid but we don't have any
> nslcd: [7b23c6] <group/member="user1"> DEBUG: ldap_result(): end of 
> results
>
>
>
> The following is the result of starting nslcd in debug:
> Dependencies of nslcd:
> ii  adduser                                     3.113ubuntu2          
>               add and remove users and groups
> ii  debconf                                     1.5.42ubuntu1         
>               Debian configuration management system
> ii  libc6                                       2.15-0ubuntu10.6      
>               Embedded GNU C Library: Shared libraries
> ii  libgssapi-krb5-2                            
> 1.10+dfsg~beta1-2ubuntu0.5          MIT Kerberos runtime libraries - 
> krb5 GSS-API Mechanism
> ii  libldap-2.4-2                               2.4.28-1.1ubuntu4.4   
>               OpenLDAP libraries
>
> Recommended:
> ii  bind9-host           1:9.8.1.dfsg.P1-4ubu Version of 'host' 
> bundled with BIND 9.X
> ii  host                 1:9.8.1.dfsg.P1-4ubu Transitional package
> ii  ldap-utils           2.4.28-1.1ubuntu4.4  OpenLDAP utilities
> ii  libnss-ldapd         0.8.4ubuntu0.3       NSS module for using 
> LDAP as a naming service
> ii  libpam-ldapd         0.8.4ubuntu0.3       PAM module for using 
> LDAP as an authentication service
>
>
> We are using the k5start service to constantly renew credentials and 
> are contacting active directory domain controllers as our ldap 
> servers.  Any insight to the errors would be appreciated!  Also any 
> improvements that can be made to the config or to improve 
> communication with AD in general would be greatly appreciated.  Let 
> me know if there is any additional info I should include.  Thanks!
>
> If this is not the place to post such a question I apologize.
>
> -nwhite

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/