lists.arthurdejong.org
RSS feed

group query regression?

[Date Prev][Date Next] [Thread Prev][Thread Next]

group query regression?



Hello
We recently upgraded from Ubuntu 14.04 to 16.04 with nss-pam-ldapd version
0.8.13 to 0.9.6.
We use LDAP authentication on a samba4 server for our Linux workstations, but with the latest version we can get a user query but not a group query!

getent passwd some_user -> ok
getent group some_group -> fails (with the rebind)

I've managed to track down the problem and noticed if I compiled version 0.9.2 it works again, but starting from 0.9.3 it fails.

We currently use the 0.9.2 version to be able to login our users, but it would be better if we can fix the problem in the packages. Right? Below I included some debug info of version 0.9.2 and 0.9.6. Any ideas? Thank you for your support!

--
Met vriendelijke groet/Kind regards
Philippe Serbruyns
IT-manager TELIN

Department for Telecommunications and Information Processing (TELIN)
Ghent University     St-Pietersnieuwstraat 41,  B-9000 Gent, Belgium
Philippe.Serbruyns [at] UGent.be       https://telin.ugent.be/~ps/
tel:+32-9-264-8909                     https://twitter.com/phiser678


*****
This is debug info from version 0.9.2, after a "getent group group1" which works:

nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.6
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,never)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 132
nslcd: DEBUG: CFG: uri ldap://samba4server/
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn cn=nslcd-connect,cn=Users,dc=thisdomain
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base dc=thisdomain
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map passwd homeDirectory unixHomeDirectory
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 60
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 600
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() 
\~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_password_prohibit_message "Not implemented, use 
samba-tool"
nslcd: version 0.9.2 starting
nslcd: DEBUG: initgroups("nslcd",132) done
nslcd: DEBUG: setgid(132) done
nslcd: DEBUG: setuid(126) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=10302 uid=0 gid=0
nslcd: [8b4567] <group="group1"> DEBUG: myldap_search(base="dc=thisdomain", 
filter="(&(objectClass=posixGroup)(cn=group1))")
nslcd: [8b4567] <group="group1"> DEBUG: ldap_initialize(ldap://samba4server/)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") (uri="ldap://samba4server/";)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): 
CN=group1,OU=Groups,DC=thisdomain
nslcd: [8b4567] <group="group1"> DEBUG: rebinding to 
ldap://samba4server/CN=Configuration,DC=thisdomain
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") 
(uri="ldap://samba4server/CN=Configuration,DC=thisdomain";)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): end of results (1 total)


****
This is the current version in Ubuntu 16.04, after a "getent group group1",
same /etc/nslcd.conf!

nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.6
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,never)
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 132
nslcd: DEBUG: CFG: uri ldap://samba4server/
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn cn=nslcd-connect,cn=Users,dc=thisdomain
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base dc=thisdomain
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map passwd homeDirectory unixHomeDirectory
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 60
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert never
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 600
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() 
\~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_password_prohibit_message "Not implemented, use 
samba-tool"
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.6 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file 
or directory
nslcd: DEBUG: initgroups("nslcd",132) done
nslcd: DEBUG: setgid(132) done
nslcd: DEBUG: setuid(126) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=10228 uid=0 gid=0
nslcd: [8b4567] <group="group1"> DEBUG: myldap_search(base="dc=thisdomain", 
filter="(&(objectClass=posixGroup)(cn=group1))")
nslcd: [8b4567] <group="group1"> DEBUG: ldap_initialize(ldap://samba4server/)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") (uri="ldap://samba4server/";)
nslcd: [8b4567] <group="group1"> DEBUG: ldap_result(): 
CN=group1,OU=Groups,DC=thisdomain
nslcd: [8b4567] <group="group1"> DEBUG: rebinding to 
ldap://samba4server/CN=Configuration,DC=thisdomain
nslcd: [8b4567] <group="group1"> DEBUG: 
ldap_simple_bind_s("cn=nslcd-connect,cn=Users,dc=thisdomain","***") 
(uri="ldap://samba4server/CN=Configuration,DC=thisdomain";)
nslcd: [8b4567] <group="group1"> ldap_result() failed: Can't contact LDAP server
nslcd: [8b4567] <group="group1"> DEBUG: ldap_abandon()
nslcd-orig: ../../../../libraries/liblber/io.c:222: ber_flush2: Assertion `sb 
!= NULL' failed.
Aborted (core dumped)
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/