Bug 109359 - root cannot login if network is down and configured for NIS, LDAP, etc..
root cannot login if network is down and configured for NIS, LDAP, etc..
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: authconfig (Show other bugs)
3.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
: Security
: 121451 144762 154854 (view as bug list)
Depends On:
Blocks: 132991 137937
  Show dependency treegraph
 
Reported: 2003-11-06 19:30 EST by Bill Peck
Modified: 2015-01-07 19:06 EST (History)
17 users (show)

See Also:
Fixed In Version: RHEA-2005-205
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-18 10:28:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Peck 2003-11-06 19:30:02 EST
Description of problem:
if the machine is configured to authenticate from NIS, LDAP, or any
other directory service and the network goes down or the server stop
responding then local accounts will not work either.  root should
always be able to login.  The only way around this is to either boot
in single user mode or turn off authentication from NIS, LDAP, etc..

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. configure machine to authenticate via NIS or LDAP
2. pull network cable
3. attempts to login will just bring the login prompt back
  
Actual results:
unable to login

Expected results:
should be able to login with local accounts, at least root

Additional info:
Comment 1 Suzanne Hillman 2003-11-21 10:03:00 EST
Putting into U2's Shouldfix list, after checking with Nalin.
Comment 2 Kenneth Heal 2003-12-16 15:00:09 EST
I have seen the same on a box with RH Linux 9 Kernel 2.40.20-24.9 and 
the current errata installed.  In this case we saw that when the NIS 
server was down I could not log in with the local root acct (wanted 
to disable NIS temporarily and activate a guest acct).  In the end we 
had to hard reset it (ugly); this was in spite of the nsswitch.conf 
settings.

# /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files nis
rpc:        files
services:   files nis
netgroup:   files nis
publickey:  nisplus
automount:  files nis
# nis removed by kheal as autofs does not support sun style mounting
aliases:    files nisplus
Comment 3 Kenneth Heal 2003-12-16 15:17:22 EST
Forgot to ask the $64K question... is there a feasible config change 
or workaround at the current time?

I can imagine disabling PAM for login (not keen on that) or using NIS 
compat mode (which would be fine) as possible candidates.

Thanks!
Comment 4 Mark Roberts 2004-02-12 15:38:08 EST
This appears to be the same problem experienced in bug #55193.

There are two workarounds listed there. I have not had the opertunity
to test either. It appears that the root of the problem is in the
authconfig package, not pam itself.
Comment 5 Martin Roest 2004-03-30 02:59:32 EST
Why isn't this fixed? The bug exists in many different distro's for a
long time. I thought that RHEL would gave me some support. I have some
major problem now with a server on wich i can't login anymore. I realy
would appreciate if this bug will soon be fixed. The workaround is
unacceptable because the use of redhat-config-authentication will
break my config again.
Please, please fix this!
Comment 6 Jason Sauve 2004-07-19 13:07:50 EDT
"Additional Comment #1 From Suzanne Hillman (shillman@redhat.com) on 
2003-11-21 10:03 ------- 

Putting into U2's Shouldfix list, after checking with Nalin."


What happened??? It doesn't appear to be in U2 to me. I think theres 
a lot of people that would appreciate a fix.
Comment 7 Tomas Mraz 2004-12-02 10:05:24 EST
I don't see this problem on RHEL3-U3. Can anyone still reproduce it?
Comment 8 Tomas Mraz 2004-12-15 05:29:58 EST
I see the problem only with LDAP authentication.
It will be solved using optional setting in authconfig.
Comment 9 Tomas Mraz 2004-12-15 07:31:26 EST
*** Bug 121451 has been marked as a duplicate of this bug. ***
Comment 10 Michael Tonn 2004-12-23 08:57:11 EST
Can someone tell me what the optional setting to authconfig is, 
because I just updated a server to AS 3 Update 4 and the problem 
still exists.
Comment 11 Tomas Mraz 2004-12-25 14:48:08 EST
It will be added in the next update cycle.
Comment 12 Tomas Mraz 2005-01-12 03:22:19 EST
*** Bug 144762 has been marked as a duplicate of this bug. ***
Comment 13 Steve Slater 2005-03-01 17:42:49 EST
FYI, the LDAP fix we are using is to manually change the system-auth
PAM line from what authconfig spits out:

account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

to add the entry authinfo_unavail=ignore.

account     [default=bad authinfo_unavail=ignore success=ok
user_unknown=ignore service_err=ignore system_err=ignore]
/lib/security/$ISA/pam_ldap.so

Can we have authconfig add this by default? It really makes it harder
to do fully-automated builds. Thanks...
Comment 14 Tomas Mraz 2005-04-18 04:41:36 EDT
*** Bug 154854 has been marked as a duplicate of this bug. ***
Comment 15 John Van Boxtel 2005-04-27 14:24:43 EDT
(In reply to comment #13)
> FYI, the LDAP fix we are using is to manually change the system-auth
> PAM line from what authconfig spits out:
>
> add to the entry authinfo_unavail=ignore.

I have tried this on some of our boxes and it does not help, still get a timeout
trying to log in to the box.  Can you post your entire system-auth file?
Comment 16 John Van Boxtel 2005-05-02 18:53:34 EDT
Can we please get a status report from someone at Redhat on what is being done
to resolve this issue?  If you have not found a solution yet, that's cool, but
please let all of us know you are aware of the issue and looking into it.
Comment 17 Tim Powers 2005-05-18 10:28:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2005-088.html
Comment 20 Thave Thurai 2005-05-31 11:10:41 EDT
Hi All 
We are having the same problem with Redhat 7.2, 7.3 8.0 9 and with Fedora fc3.
I could not find any authconfig rpms to fix this issue. Could some help me to 
find the excat syntex for system-auth file to fix this issue. I tried the 
above mention syntex it does not work.
Comment 21 Thave Thurai 2005-05-31 11:11:04 EDT
Hi All 
We are having the same problem with Redhat 7.2, 7.3 8.0 9 and with Fedora fc3.
I could not find any authconfig rpms to fix this issue. Could some help me to 
find the excat syntex for system-auth file to fix this issue. I tried the 
above mention syntex it does not work.

Note You need to log in before you can comment on or make changes to this bug.