FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-28-2011, 02:52 PM
John Hodrien
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 28 Apr 2011, Mattias Geniar wrote:

>> Did you include nss_initgroups_ignoreuser in your /etc/ldap.conf?
>>
>> nss_initgroups_ignoreusers root,ldap
>>
>> Brgds
>
> Hi Benjamin,
>
> I tried that, but that just makes it hang upon the next service trying
> to start (in our case: a zabbix monitoring daemon running as
> zabbix/zabbix).
>
> It works, if I include the entire list of all "local" users/groups that
> can be ignored. However, that's not feasible when doing mass-deploys on
> varied systems.
>
> If there's a way to simply say "ignore all users with UID's < 500" that
> could be a work-around I can live with, but it doesn't appear there is.

I'd hope you'd see these problems almost entirely go away in future with a
switch to sssd rather than nss_ldap, as it makes the whole process a lot more
stateful and aware of what's going on.

Having an rc.local that does an nsswitch.conf twiddle is probably a viciously
robust way of dealing with this problem...

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 02:53 PM
Scott Robbins
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, Apr 28, 2011 at 04:21:58PM +0200, Mattias Geniar wrote:
> Hi Everyone,
>
>
> So that's pretty straight forward. My LDAP systems are running fine, and
> I can authenticate to them.
>
> However, the problem: when the client boots *without network
> connectivity*, the server gets stuck/hangs at "Start System Message
> Bus". I've tracked this down to the following known bug in Redhat, but
> it dates back to early 2010.
> https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46

Yes, the bug is actually older than that---Don't know if it's only RH
based systems (as so many things seem to work everywhere but RH and
their offshoots) or ldap.
You should be able to fix it by changing /etc/ldap.conf. There is a
default commented line in there

#bind_policy hard

Uncomment it, change it to soft. (On the client.) Note this is
/etc/ldap.conf--in Fedora, if that's the client, I believe it's now
/etc/pam_ldap.conf or possibly /etc/nss_ldap.conf.

I can't find the earlier bug at first glance, but it's FAR older than
2010, and they never bothered to fix it.


> Has anyone else ever solved this to still be able to keep the group ldap
> entry in nsswitch.conf without having a server hang on boot if there's
> no network?

See above. Darn, I wish I could find that older bug, so that I could go
to the newer one you mention and point out that they've been unable to
fix it for far longer than a year. (I might do it anyway)

Grouchily yours, (Not at you, at RH for being unable to get such a
basic thing to work--actually, at one point, Fedora changed bind_policy
to soft so that it would work, but now they're back to the broken way.)


--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Principal Snyder: It's fuzzy-minded liberal thinking like that
that gets you eaten.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 02:56 PM
Scott Robbins
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, Apr 28, 2011 at 03:52:44PM +0100, John Hodrien wrote:
> On Thu, 28 Apr 2011, Mattias Geniar wrote:
>
> > could be a work-around I can live with, but it doesn't appear there is.
>
> I'd hope you'd see these problems almost entirely go away in future with a
> switch to sssd rather than nss_ldap, as it makes the whole process a lot more
> stateful and aware of what's going on.
>

Fear not, Fedora has managed to have that break things for many people
too.

I see they just closed the bug with a won't fix, though the fix is known
and available.


> Having an rc.local that does an nsswitch.conf twiddle is probably a viciously
> robust way of dealing with this problem...

Unnecessary too. See my earlier email.

I might as well give a link to my ldap page, so if anyone else comes
across this, they can see the issue mentioned withfix.

http://home.roadrunner.com/~computertaijutsu/ldap.html


--
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Buffy: You sound like Mr. Initiative! 'Demons bad,
people good.'
Riley: Something wrong with that theorem?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 03:12 PM
John Hodrien
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 28 Apr 2011, Scott Robbins wrote:

> On Thu, Apr 28, 2011 at 03:52:44PM +0100, John Hodrien wrote:
>> On Thu, 28 Apr 2011, Mattias Geniar wrote:
>>
>>> could be a work-around I can live with, but it doesn't appear there is.
>>
>> I'd hope you'd see these problems almost entirely go away in future with a
>> switch to sssd rather than nss_ldap, as it makes the whole process a lot more
>> stateful and aware of what's going on.
>>
>
> Fear not, Fedora has managed to have that break things for many people
> too.
>
> I see they just closed the bug with a won't fix, though the fix is known
> and available.
>
>
>> Having an rc.local that does an nsswitch.conf twiddle is probably a viciously
>> robust way of dealing with this problem...
>
> Unnecessary too. See my earlier email.
>
> I might as well give a link to my ldap page, so if anyone else comes
> across this, they can see the issue mentioned withfix.
>
> http://home.roadrunner.com/~computertaijutsu/ldap.html

bind_policy soft isn't a panacea in my experience. I've had failures that
aren't fixed with this (I've had udev go into a world of its own stopping the
machine booting).

nss_ldap's just a bit sucky by design. It lacks any caching, and nscd simply
isn't in a position to provide it in a sane manner. Performance with large
directories and nested groups is terrible unless you completely avoid
enumeration of groups which breaks some tools.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 03:17 PM
Scott Robbins
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, Apr 28, 2011 at 05:03:55PM +0200, Mattias Geniar wrote:


>
> Hi Scott,
>
> In case you're wondering, this is about the oldest entry (2006):
> https://bugzilla.redhat.com/show_bug.cgi?id=186527
>
> The bind_policy didn't seem to have the wanted effect with me, it kept
> trying to connect to LDAP server even after 10+ failed attempts, taking
> 1m50s on each and every attempt.
>
> I read quite a few topics on that solving the issue, but it didn't seem
> to be that case in my environment.
> Are there other workarounds/tips if the bind_policy doesn't work? The
> rc.local hack seems ... ugly ... and embarrassing if a client would
> ever find it out. :-)

Agreed. I've never known that fix to not work though.

(Thanks for the input,will have to add that it doesn't work in all
cases t my page).

--

Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

Spike: Should I really trust you?
Adam: Scout's honor.
Spike: You were a Boy Scout?
Adam: Parts of me.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 03:22 PM
John Hodrien
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 28 Apr 2011, Mattias Geniar wrote:

> I read quite a few topics on that solving the issue, but it didn't seem
> to be that case in my environment.
> Are there other workarounds/tips if the bind_policy doesn't work? The
> rc.local hack seems ... ugly ... and embarrassing if a client would
> ever find it out. :-)

Automatic generation of the nss_initrgroups_ignoreusers line on boot? A
creative patch to nss_ldap?

Current versions of sssd look really promising to me (I tested against a
candidate for RHEL 6.1), and offer workable performance compared to a heavily
hacked nss_ldap against a large LDAP tree (much better than an unmodified
nss_ldap).

I also seemed to recall that bind_policy soft potentially opened you up to
security issues. An allow all, deny denied-people would let someone in if
ldap timed out. Variations on that would presumably leak if you throw nscd
into the mix.

Newer versions of nss_ldap support nss_initgroups_minimum_uid 500, so
presumably that has a good chance of solving your problem.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 03:37 PM
Steve Thompson
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 28 Apr 2011, Benjamin Hackl wrote:

> On Thu, 28 Apr 2011 16:21:58 +0200
> "Mattias Geniar" <mattias@nucleus.be> wrote:
>
>> Here's my /etc/ldap.conf file:
>
> Did you include nss_initgroups_ignoreuser in your /etc/ldap.conf?
>
> nss_initgroups_ignoreusers root,ldap

This works:

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

-Steve
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 04:28 PM
Paul Heinlein
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 28 Apr 2011, Steve Thompson wrote:

> This works:
>
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus

We use a slightly longer version:

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman

I suspect, however, that the extra users listed in our setup aren't
the cause of the hangups...

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-28-2011, 05:31 PM
Craig White
 
Default LDAPs causing System Message Bus to hang when there's no network

On Thu, 2011-04-28 at 09:28 -0700, Paul Heinlein wrote:
> On Thu, 28 Apr 2011, Steve Thompson wrote:
>
> > This works:
> >
> > nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus
>
> We use a slightly longer version:
>
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman
>
> I suspect, however, that the extra users listed in our setup aren't
> the cause of the hangups...
----
I use the following to prevent hanging at startup with LDAP.

nss_initgroups_ignoreusers root,ldap,bacula,named
timelimit 30
bind_timelimit 30
bind_policy soft

This is because some daemons start prior to the start of OpenLDAP
service.

Obviously adding haldaemon, dbus, radvd, tomcat, etc. or other 'users'
for daemons that launch prior to your LDAP server application is useful
but those users would have to be listed in /etc/passwd|group to
significantly benefit.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-29-2011, 06:49 PM
Devin Reade
 
Default LDAPs causing System Message Bus to hang when there's no network

--On Thursday, April 28, 2011 10:53:52 AM -0400 Scott Robbins
<scottro@nyc.rr.com> wrote:

> On Thu, Apr 28, 2011 at 04:21:58PM +0200, Mattias Geniar wrote:

>> I've tracked this down to the following known bug in Redhat, but
>> it dates back to early 2010.
>> https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46
>
> Yes, the bug is actually older than that

*sigh*

Yes, I've been tripping up on this one, on and off, since 2006 in FC5.

AFAIK, nobody ever looked into my strace comment of
<https://bugzilla.redhat.com/show_bug.cgi?id=182464#c10>, although
<https://bugzilla.redhat.com/show_bug.cgi?id=182464#c46> (four years
later) seems related. Probably moot now anyway as nobody is interested
in fixing it since sssd will cure all ills and bring world peace.
(Insert sarcasm/skepticism as appropriate.)

Be aware that "bind_policy soft" may have some undesirable consequences,
depending on your environment. For example, if you have a mail server
that does user lookup based on ldap and your ldap server goes away
(before or after the mail server boots), then while your ldap server
is offline you can get mail bouncing permanently with "no such user"
rather than temporarily with "system not available" -type messages.

Mitigation strategies that I've done in the past include:
1. never using 'bind_policy soft'
2. having at least one replica LDAP server (which is a good idea anyway)
3. putting LDAP on a machines which themselves are not LDAP clients,
thus ensuring that although clients may get blocked on boot that the
LDAP server itself does not

In recent CentOS 5 versions, I've had much better luck avoiding (3)
as long as, using system-config-authentication, one enables
"Local authorization is sufficient for local users" under the
Options tab.

And for the record, despite this particularly annoying bug, I'm still
a strong advocate of using LDAP for user and group provisioning.

Devin

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org