ldap/libnss/ssh: (remote) login stops working after some time
in [Debian]
|
From: Nico Schottelius on 3 Sep 2009 06:20 Hello! As I reported in Bug 541188 [0], the ssh login to nodes with ldap enabled for passwd, group and netgroup stops to work after some time. Steve Langasek recommended to write it to this mailinglist. Anyone a good hint what could be the reason for it? For now I removed "[UNAVAIL=return]" from /etc/nsswitch.conf and "debug" from /etc/pam.d/common-auth. Details: -------------------------------------------------------------------------------- - login fails with root(a)bach16.ethz.ch: ssh_exchange_identification: Connection closed by remote host nicosc(a)bach24.ethz.ch: ssh_exchange_identification: Connection closed by remote host - login fails for root (who is not in ldap) and ldap users - I cannot login locally as root! ! It works again (i.e. ssh and local root), if I login locally as an LDAP user. - It takes about 30 days to occur (or different, not yet sure) - Using - Debian Lenny - libnss-ldap 261-2.1 - libnss3-1d 3.12.0-6 - libpam-krb5 3.11-4 - libpam-ldap 184-4.2 - libpam-modules 1.0.1-5+lenny1 Configurations (only those which are changed from standard debian): -------------------------------------------------------------------------------- bach12:~# grep -v ^# /etc/libnss-ldap.conf | grep -v -e ^bindpw -e binddn uri ldaps://ldaps01.ethz.ch ldaps://ldaps02.ethz.ch ldaps://ldaps03.ethz.ch host ldaps01.ethz.ch ldaps02.ethz.ch ldaps03.ethz.ch base ou=systems,ou=inf,ou=auth,o=ethz,c=ch port 636 pam_filter objectclass=account pam_login_attribute uid pam_lookup_policy no nss_base_passwd ou=users,ou=systems,ou=inf,ou=auth,o=ethz,c=ch nss_base_group ou=Group,ou=inf,ou=auth,o=ethz,c=ch nss_base_netgroup ou=netgroup,ou=inf,ou=auth,o=ethz,c=ch ssl yes tls_checkpeer no tls_reqcert allow tls_cacertfile /etc/ldap/ca.pem -------------------------------------------------------------------------------- bach12:~# grep -v ^# /etc/pam.d/common-account account required pam_unix.so broken_shadow account sufficient pam_krb5.so minimum_uid=1001 -------------------------------------------------------------------------------- bach12:~# grep -v ^# /etc/pam.d/common-auth auth sufficient pam_krb5.so try_first_pass minimum_uid=1001 debug auth required pam_unix.so nullok_secure -------------------------------------------------------------------------------- bach12:~# grep -v ^# /etc/nsswitch.conf passwd: files ldap [UNAVAIL=return] group: files ldap [UNAVAIL=return] shadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: ldap -------------------------------------------------------------------------------- Logs: -------------------------------------------------------------------------------- syslog: Aug 8 21:55:01 ikr3 /USR/SBIN/CRON[19476]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; }) Aug 8 21:55:01 ikr3 CRON[19474]: (pam_krb5): none: pam_sm_setcred: entry (0x8004) Aug 8 21:55:01 ikr3 CRON[19474]: (pam_krb5): none: pam_sm_setcred: exit (success) Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: pam_sm_setcred: entry (0x8002) Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: no context found, creating one Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: pam_sm_setcred: exit (failure) Aug 8 22:00:01 ikr3 /USR/SBIN/CRON[19491]: (root) CMD (/usr/sbin/ntpdate time.ethz.ch > /dev/null) Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: pam_sm_setcred: entry (0x8004) Aug 8 22:00:01 ikr3 CRON[19489]: (pam_krb5): none: pam_sm_setcred: exit (success) Aug 8 22:00:33 ikr3 smartd[2728]: Device: /dev/hda, SMART Usage Attribute: 194 Temperature_Celsius changed from 196 to 203 Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: pam_sm_setcred: entry (0x8002) Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: no context found, creating one Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: pam_sm_setcred: exit (failure) Aug 8 22:05:01 ikr3 /USR/SBIN/CRON[19507]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; }) Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: pam_sm_setcred: entry (0x8004) Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: pam_sm_setcred: exit (success) Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: pam_sm_setcred: entry (0x8002) Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: no context found, creating one Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: pam_sm_setcred: exit (failure) Aug 8 22:15:01 ikr3 /USR/SBIN/CRON[19534]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; }) Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: pam_sm_setcred: entry (0x8004) Aug 8 22:15:01 ikr3 CRON[19532]: (pam_krb5): none: pam_sm_setcred: exit (success) Aug 8 22:17:01 ikr3 CRON[19538]: User not known to the underlying authentication module Aug 8 22:25:01 ikr3 CRON[19561]: User not known to the underlying authentication module Aug 8 22:30:34 ikr3 smartd[2728]: Device: /dev/hda, SMART Usage Attribute: 194 Temperature_Celsius changed from 203 to 196 Aug 8 22:35:01 ikr3 CRON[19588]: User not known to the underlying authentication module Aug 8 22:39:40 ikr3 postfix/pickup[19602]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody Aug 8 22:39:41 ikr3 postfix/master[2714]: warning: process /usr/lib/postfix/pickup pid 19602 exit status 1 Aug 8 22:39:41 ikr3 postfix/master[2714]: warning: /usr/lib/postfix/pickup: bad command startup -- throttling Aug 8 22:40:41 ikr3 postfix/pickup[19604]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody Aug 8 22:40:42 ikr3 postfix/master[2714]: warning: process /usr/lib/postfix/pickup pid 19604 exit status 1 Aug 8 22:40:42 ikr3 postfix/master[2714]: warning: /usr/lib/postfix/pickup: bad command startup -- throttling Aug 8 22:41:42 ikr3 postfix/pickup[19609]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody Aug 8 22:41:43 ikr3 postfix/master[2714]: warning: process /usr/lib/postfix/pickup pid 19609 exit status 1 Aug 8 22:41:43 ikr3 postfix/master[2714]: warning: /usr/lib/postfix/pickup: bad command startup -- throttling Aug 8 22:42:43 ikr3 postfix/pickup[19614]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody Aug 8 22:42:44 ikr3 postfix/master[2714]: warning: process /usr/lib/postfix/pickup pid 19614 exit status 1 ------------------------------- This continues, until I locally login again: ----------------------------- Aug 12 11:38:00 ikr3 postfix/master[2714]: warning: process /usr/lib/postfix/pickup pid 9523 exit status 1 Aug 12 11:38:00 ikr3 postfix/master[2714]: warning: /usr/lib/postfix/pickup: bad command startup -- throttling Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: pam_sm_setcred: entry (0x8002) Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: no context found, creating one Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: pam_sm_setcred: exit (failure) Aug 12 11:45:01 ikr3 /USR/SBIN/CRON[9557]: (root) CMD ([ -x /usr/lib/sysstat/sa1 ] && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; [ "$ENABLED" = "true" ] && exec /usr/lib/sysstat/sa1 $SA1_OPTIONS 1 1 ; }) Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: pam_sm_setcred: entry (0x8004) Aug 12 11:45:01 ikr3 CRON[9555]: (pam_krb5): none: pam_sm_setcred: exit (success) ----------------------------- The auth.log says (excerpts): -------------------------------------------------------------------------------- Aug 8 22:00:01 ikr3 CRON[19489]: pam_unix(cron:session): session closed for user root Aug 8 22:05:01 ikr3 CRON[19505]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 8 22:05:01 ikr3 CRON[19505]: pam_unix(cron:session): session closed for user root Aug 8 22:15:01 ikr3 CRON[19532]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 8 22:15:01 ikr3 CRON[19532]: pam_unix(cron:session): session closed for user root Aug 8 22:17:01 ikr3 CRON[19538]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 8 22:25:01 ikr3 CRON[19561]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 8 22:35:01 ikr3 CRON[19588]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 8 22:45:01 ikr3 CRON[19626]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 12 11:35:01 ikr3 CRON[9513]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 12 11:36:29 ikr3 sshd[9518]: fatal: Privilege separation user sshd does not exist Aug 12 11:35:01 ikr3 CRON[9513]: pam_unix(cron:account): could not identify user (from getpwnam(root)) Aug 12 11:36:29 ikr3 sshd[9518]: fatal: Privilege separation user sshd does not exist Aug 12 11:38:55 ikr3 login[2839]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Aug 12 11:38:55 ikr3 login[2839]: (pam_krb5): nicosc: attempting authentication as nicosc(a)D.ETHZ.CH Aug 12 11:38:58 ikr3 login[2839]: (pam_krb5): nicosc: pam_sm_authenticate: exit (success) Aug 12 11:38:58 ikr3 login[2839]: (pam_krb5): nicosc: pam_sm_setcred: entry (0x2) Aug 12 11:38:58 ikr3 login[2839]: (pam_krb5): nicosc: initializing ticket cache FILE:/tmp/krb5cc_13270_wD32cC Aug 12 11:38:58 ikr3 login[2839]: (pam_krb5): nicosc: pam_sm_setcred: exit (success) Aug 12 11:38:58 ikr3 login[2839]: pam_env(login:session): Unable to open env file: /etc/default/locale: No such file or directory Aug 12 11:38:58 ikr3 login[2839]: pam_unix(login:session): session opened for user nicosc by LOGIN(uid=0) Aug 12 11:45:01 ikr3 CRON[9555]: pam_unix(cron:session): session opened for user root by (uid=0) Aug 12 11:45:01 ikr3 CRON[9555]: pam_unix(cron:session): session closed for user root Aug 12 11:45:02 ikr3 sshd[9558]: Accepted publickey for root from 129.132.130.136 port 38302 ssh2 Aug 12 11:45:02 ikr3 sshd[9558]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory Aug 12 11:45:02 ikr3 sshd[9558]: (pam_krb5): none: pam_sm_setcred: entry (0x2) Aug 12 11:45:02 ikr3 sshd[9558]: (pam_krb5): none: no context found, creating one Aug 12 11:45:02 ikr3 sshd[9558]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 12 11:45:02 ikr3 sshd[9558]: (pam_krb5): none: pam_sm_setcred: exit (failure) Aug 12 11:45:02 ikr3 sshd[9558]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 12 11:45:02 ikr3 sshd[9560]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: No such file or directory Aug 12 11:45:02 ikr3 sshd[9560]: (pam_krb5): none: pam_sm_setcred: entry (0x8) Aug 12 11:45:02 ikr3 sshd[9560]: (pam_krb5): none: no context found, creating one Aug 12 11:45:02 ikr3 sshd[9560]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Aug 12 11:45:02 ikr3 sshd[9560]: (pam_krb5): none: pam_sm_setcred: exit (failure) -------------------------------------------------------------------------------- Thanks for any hint, Nico [0]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=541188 -- Currently moving *.schottelius.org to http://www.nico.schottelius.org/ ... PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C
From: Ron Johnson on 3 Sep 2009 06:50 On 2009-09-03 05:02, Nico Schottelius wrote: > Hello! > > As I reported in Bug 541188 [0], the ssh login to nodes with > ldap enabled for passwd, group and netgroup stops to work after some time. > > Steve Langasek recommended to write it to this mailinglist. > > Anyone a good hint what could be the reason for it? > > For now I removed "[UNAVAIL=return]" from /etc/nsswitch.conf and > "debug" from /etc/pam.d/common-auth. > > > Details: > -------------------------------------------------------------------------------- > - login fails with > > root(a)bach16.ethz.ch: ssh_exchange_identification: Connection closed by remote host > nicosc(a)bach24.ethz.ch: ssh_exchange_identification: Connection closed by remote host > > - login fails for root (who is not in ldap) and ldap users > > - I cannot login locally as root! I thought you said you couldn't *remotely* log in as root. > ! It works again (i.e. ssh and local root), if I login locally as an LDAP user. > > - It takes about 30 days to occur (or different, not yet sure) [snip] > Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: ignoring low-UID user (0 < 1001) Does the local root login failure start only after remote root logins fail? I'd work around this issue by not allowing remote root logins. -- Brawndo's got what plants crave. It's got electrolytes! -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
From: Nico Schottelius on 3 Sep 2009 07:10 Ron Johnson [Thu, Sep 03, 2009 at 05:39:07AM -0500]: > On 2009-09-03 05:02, Nico Schottelius wrote: > >- login fails for root (who is not in ldap) and ldap users > > > >- I cannot login locally as root! > > I thought you said you couldn't *remotely* log in as root. It fails for *both* ways until I login *locally* as a ldap user. > >! It works again (i.e. ssh and local root), if I login locally as an LDAP user. > > > >- It takes about 30 days to occur (or different, not yet sure) > [snip] > >Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: ignoring low-UID user (0 < 1001) > > Does the local root login failure start only after remote root > logins fail? Yes, afaics it's the same time (i.e. normally local root access is possible and it also works again, after I logged in as a LDAP user). > I'd work around this issue by not allowing remote root logins. I'm sorry, how should this fix not being able to login via ssh at all? Sincerly, Nico -- Currently moving *.schottelius.org to http://www.nico.schottelius.org/ ... PGP: BFE4 C736 ABE5 406F 8F42 F7CF B8BE F92A 9885 188C
From: Ron Johnson on 3 Sep 2009 07:20 On 2009-09-03 06:08, Nico Schottelius wrote: > Ron Johnson [Thu, Sep 03, 2009 at 05:39:07AM -0500]: >> On 2009-09-03 05:02, Nico Schottelius wrote: >>> - login fails for root (who is not in ldap) and ldap users >>> >>> - I cannot login locally as root! >> I thought you said you couldn't *remotely* log in as root. > > It fails for *both* ways until I login *locally* as a ldap user. Looks like a bug! >>> ! It works again (i.e. ssh and local root), if I login locally as an LDAP user. >>> >>> - It takes about 30 days to occur (or different, not yet sure) >> [snip] >>> Aug 8 22:05:01 ikr3 CRON[19505]: (pam_krb5): none: ignoring low-UID user (0 < 1001) >> Does the local root login failure start only after remote root >> logins fail? > > Yes, afaics it's the same time (i.e. normally local root access is > possible and it also works again, after I logged in as a LDAP user). > >> I'd work around this issue by not allowing remote root logins. > > I'm sorry, how should this fix not being able to login via ssh at all? $ grep Root /etc/ssh/sshd_config PermitRootLogin no -- Brawndo's got what plants crave. It's got electrolytes! -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
|
Pages: 1 Prev: problem installing new packages Next: Lenny Backports problem |