Bug 1401632
Summary: | nslcd fails to restarted intermittently | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Roshni <rpattath> |
Component: | nss-pam-ldapd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | Lenka Špačková <lkuprova> |
Priority: | unspecified | ||
Version: | 6.9 | CC: | arthur, jhrozek, lkuprova, pkis, rpattath, tlavigne |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
*nslcd* fails to resolve user or group identities when it is started before the network connection is fully up
When *nslcd*, the local LDAP name service daemon, is started before the network connection is fully up, the daemon fails to connect to an LDAP server. As a consequence, resolving user or group identities does not work. To work around this problem, start *nslcd* after the network connection is up.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-15 22:13:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Roshni
2016-12-05 18:37:21 UTC
Roshni, what does your pam_pkcs11 file look like. It looks like you are getting a lot of ldap failures, which may indicate some issue connecting to ldap rather than a smart card issue. bob [root@dhcp129-152 ~]# cat /etc/pam_pkcs11/pam_pkcs11.conf # # Configuration file for pam_pkcs11 module # # Version 0.4 # Author: Juan Antonio Martinez <jonsito> # pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = false; # If the smart card is inserted, only use it card_only = true; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = coolkey; screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module coolkey { module = libcoolkeypk11.so; description = "Cool Key" # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; nss_dir = /etc/pki/nssdb; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs # "crl_auto" Is a combination of online and offline; it first # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "ocsp_on" Turn on OCSP. # "signature" Does also a signature check to ensure that private # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". cert_policy = ca, signature; } pkcs11_module opensc { module = opensc-pkcs11.so; description = "OpenSC PKCS#11 module"; # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate Policy, (see above) cert_policy=ca, signature; } # Default pkcs11 module pkcs11_module default { module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; description = "Default pkcs#11 module"; slot_num = 0; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy=ca, signature; } # Which mappers ( Cert to login ) to use? # you can use several mappers: # # subject - Cert Subject to login file based mapper # pwent - CN to getpwent() login or gecos fields mapper # ldap - LDAP mapper # opensc - Search certificate in ${HOME}/.eid/authorized_certificates # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension # krb - Compare againts Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper # generic - User defined certificate contents mapped # null - blind access/deny mapper # # You can select a comma-separated mapper list. # If used null mapper should be the last in the list :-) # Also you should select at least one mapper, otherwise # certificate will not match :-) use_mappers = cn, uid, pwent, null; # When no absolute path or module info is provided, use this # value as module search path # TODO: # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; # # Generic certificate contents mapper mapper generic { debug = true; module = /usr/$LIB/pam_pkcs11/generic_mapper.so; # ignore letter case on match/compare ignorecase = false; # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" cert_item = cn; # Define mapfile if needed, else select "none" mapfile = file:///etc/pam_pkcs11/generic_mapping # Decide if use getpwent() to map login use_getpwent = false; } # Certificate Subject to login based mapper # provided file stores one or more "Subject -> login" lines mapper subject { debug = false; # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; module = internal; ignorecase = false; mapfile = file:///etc/pam_pkcs11/subject_mapping; } # Search public keys from $HOME/.ssh/authorized_keys to match users mapper openssh { debug = false; module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; } # Search certificates from $HOME/.eid/authorized_certificates to match users mapper opensc { debug = false; module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; } # Certificate Common Name ( CN ) to getpwent() mapper mapper pwent { debug = false; ignorecase = false; module = internal; # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; } # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" mapper null { debug = false; # module = /usr/$LIB/pam_pkcs11/null_mapper.so; module = internal ; # select behavior: always match, or always fail default_match = false; # on match, select returned user default_user = nobody ; } # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } # Assume common name (CN) to be the login mapper cn { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; ignorecase = true; mapfile = file:///etc/pam_pkcs11/cn_map; } # mail - Compare email field from certificate mapper mail { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; # Also check that host matches mx domain # when using mapfile this feature is ignored ignoredomain = false; } # ms - Use Microsoft Universal Principal Name extension # UPN is in format login@ADS_Domain. No map is needed, just # check domain name. mapper ms { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; ignorecase = false; ignoredomain = false; domain = "domain.com"; } # krb - Compare againts Kerberos Principal Name mapper krb { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; ignorecase = false; mapfile = "none"; } # uid - Maps Subject Unique Identifier field (if exist) to login mapper uid { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; ignorecase = false; mapfile = "none"; } # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } } OK, thanks, I don't know why you are getting ldap errors, but you are using the cn mapper, so ldap can't be the issue. I'm not able to get this to fail with my coolkey, which cards seem to work intermittently? Do you know if you are using cn, id or pwent? The latter could be having ldap issues. What is your cn_map? bob The issue is nslcd fails to start intermittently (not sure what is triggering it) The workaround to get the smartcard authentication to work is to either add a local user with the same name or manually restart nslcd service. But this workaround will not be applicable if "Smartcard only" option is enabled in authconfig, which will then not allow to login as root. The "Connection refused" errors from nslcd indicate a simple connection error to the LDAP server (nslcd will start and should keep working). The nslcd daemon has a retry and timeout mechanism to not constantly retry connecting too often. If networking is unavailable before nslcd is started it can slow down booting a bit and nslcd may remember for some time that the LDAP server is unavailable. Newer versions of nss-pam-ldapd (particularly the 0.9 series) have a nicer retry mechanism and allow receiving SIGUSR1 to immediately retry connecting to the LDAP server. I have seen some issues in starting up nslcd related to TLS (the SSL library does an exit of the application for some strange reason). As Arthur says, please check the connectivity to ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389 with e.g. ldapsearch. Note that non-standard port, perhaps there's a typo? ldapsearch from the client is successful. I am seeing the authentication issue now but noticed that nslcd is up and running. Also the I have added the port 8389 to the ldap selinux context using the command semanage port -a -t ldap_port_t -p tcp 8389. Smartcard authentication to the ldap user was successful at the first attempt after setting up the environment but after sometime I start seeing this issue. If you're seeing the authentication issue now and nslcd is throwing connection refused..are you sure you can connect to that server and search it? If yes and the issue is reproducable, I'd like to take a peek at the environment if possible.. The following was Sumit's finding "There are a lot of 'no available LDAP server found' messages from nslcd. I think the reason is the startup order. According to /var/log/messages nslcd was started before NetworkManager got the namesservers via DHCP and wrote them to /etc/resolv.conf. /etc/resolv.conf is only read at startup, so nslcd is not aware of the nameserver and hence cannot resolve the LDAP server's hostname. The boot order is ok but nslcd is started too fast or DHCP is too slow. So maybe just restart nslcd when the system is up to make sure the ldap server name can be resolved or add it to /etc/hosts." After adding the ldap server's hostname and ip address to /etc/hosts I was not seeing this issue anymore. (In reply to Roshni from comment #16) > The following was Sumit's finding > > "There are a lot of 'no available LDAP > server found' messages from nslcd. I think the reason is the startup > order. According to /var/log/messages nslcd was started before > NetworkManager got the namesservers via DHCP and wrote them to > /etc/resolv.conf. /etc/resolv.conf is only read at startup, so nslcd is > not aware of the nameserver and hence cannot resolve the LDAP server's > hostname. > > The boot order is ok but nslcd is started too fast or DHCP is too slow. > So maybe just restart nslcd when the system is up to make sure the ldap > server name can be resolved or add it to /etc/hosts." > > After adding the ldap server's hostname and ip address to /etc/hosts I was > not seeing this issue anymore. Then I don't think this issue should be marked as a testblocker, can you remove that flag? |