Bug 110563 - problems with ldap and hosts resolving
problems with ldap and hosts resolving
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-11-21 05:24 EST by Herbert Gasiorowski
Modified: 2009-09-14 18:27 EDT (History)
7 users (show)

See Also:
Fixed In Version: 217
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-25 16:40:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Herbert Gasiorowski 2003-11-21 05:24:29 EST
Description of problem:
After adding the service "ldap" after "dns" in the "hosts:" line
of /etc/nsswitch.conf most program are able to resolve hostnames
only present in ldap. But ping (and traceroute) hangs somewhere within
ldap_init
( libnss_ldap with debugging stops after: "nss_ldap: ==> ldap_init" )
and futex
( strace stops at "futex(0x375a8c, FUTEX_WAIT, 2, NULL" )

This is the same for known and unknown hosts.

How reproducible:
Always

Steps to Reproduce:
1. add "ldap" at the end of "hosts:" in /etc/nsswitch.conf
2. ping xyz
    

Actual Results:  ... never returns


Expected Results:  should ping host or return error message

Additional info:

- installation with kickstart and latest fedora core 1 updates

- "getent hosts xyz" and "getent -s "dns ldap" hosts xyz" works but 
  "getent -s "ldap" hosts xyz" hangs (as expected).
  Maybe "someone" changes the nsswitch services within ping?
Comment 1 Nalin Dahyabhai 2003-11-24 09:19:54 EST
I'm a bit confused now.  When you add ldap to the end of your "hosts"
configuration in step 1, is "dns" (or anything which can be used to
resolve your directory server's name) listed before it?

If not, then nss_ldap can't determine how to contact the directory
server to resolve the directory server's host name to an IP address,
and the whole thing will break.

Marking notabug, per fedora-list thread at
https://www.redhat.com/archives/fedora-list/2003-November/msg05373.html
Comment 2 Herbert Gasiorowski 2003-11-24 09:48:53 EST
Actually my nsswitch.conf looks like

hosts: files nis dns ldap

and all (files,nis,dns) can resolve all needed by LDAP!

All works fine with ldap BUT "ping" (and traceroute and maybe others)

PING is my problem
Comment 3 Steve Rigler 2003-11-24 15:38:01 EST
I see the same problem on RH9 after running up2date.

/etc/nsswitch.conf looks like:
hosts: files ldap dns

Name resolution doesn't work.  When I do "getent hosts" I see the 
entries from /etc/hosts and then get a segmentation fault
Comment 4 Herbert Gasiorowski 2003-11-25 02:07:16 EST
It is probably not the same Problem:

Try dns BEFORE ldap:

hosts: files dns ldap

(ldap needs the ip of the server and sometimes the hostname
of the client too, before it can resolve other addresses)
Comment 5 Steve Rigler 2003-11-25 08:34:54 EST
Maybe not the same problem, but either way it doesn't work.  With 
ldap before dns and specifying ip of directory server 
in /etc/ldap.conf and /etc/openldap/ldap.conf name queries hang.  
With dns before ldap, getent will return the entire hosts list, but 
names not in dns won't resolve and getent won't match keys from the 
hosts list.

Interestingly, this problem doesn't exist with NIS (I have to specify 
the fqdn of my NIS master for a handful of machine that aren't on the 
same subnet and can't broadcast for it).
Comment 6 Herbert Gasiorowski 2003-11-25 10:20:27 EST
A far as I remember LDAP performs a reverse lookup on the servers
ip (and maybe on the client too).

Just try dns before ldap and if that works put the needed
infos into /etc/hosts. You might need to put the host
in a line by itself with the "real ip" and the FQDN (not with 127.0.0.1)

This is what I have planned to try if my problem is solved .... someday.
Comment 7 Herbert Gasiorowski 2003-11-25 10:37:27 EST
There is another Problem with nss_ldap:

crond stops (process disappears) when a users crontab has changed :

Nov 25 15:48:41 luanda crond[25765]: (CRON) STARTUP (fork ok) 
Nov 25 15:49:00 luanda CROND[25769]: (gasi) CMD (echo Hello >>x.x) 
Nov 25 15:50:00 luanda CROND[25775]: (root) CMD (/usr/lib/sa/sa1 1 1) 
Nov 25 15:50:00 luanda CROND[25777]: (gasi) CMD (echo Hello >>x.x) 
Nov 25 15:51:00 luanda CROND[25780]: (gasi) CMD (echo Hello >>x.x) 
Nov 25 15:51:17 luanda crontab[25781]: (gasi) BEGIN EDIT (gasi) 
Nov 25 15:51:24 luanda crontab[25781]: (gasi) REPLACE (gasi) 
Nov 25 15:51:24 luanda crontab[25781]: (gasi) END EDIT (gasi) 
Nov 25 15:52:00 luanda crond[25765]: nss_ldap: reconnecting to LDAP
server...
Nov 25 15:52:00 luanda crond[25765]: nss_ldap: reconnected to LDAP
server after 
1 attempt(s)

The normal output would be (instead of nss_ldap):
Nov 25 16:14:00 luanda crond[4903]: (gasi) RELOAD (cron/gasi) 

Comment 8 Steve Rigler 2003-11-25 13:43:02 EST
Adding on to the issue of name resolution, I downloaded the source 
for nss_ldap from padl.com.  After compiling and installing, name 
resolution works fine (using hosts: files dns ldap in nsswitch.conf).
Comment 9 Nigel Wade 2004-04-07 09:22:19 EDT
Your solution didn't work for me, unfortunately.

I have downloaded and installed nss_ldap from PADL, and I am still
getting the problem of ping blocking on a futex.

The system is FC1 SMP with all current updates applied.
Comment 10 George 2004-04-13 10:26:44 EDT
I use nss_ldap-217-1 and it seems fixed most of the problems.
Comment 11 Herbert Gasiorowski 2004-05-03 09:40:51 EDT
Using LD_ASSUME_KERNEL=2.4.1 the ping problem seems to be gone
(And using FC2 Test3 and a hint from Nigel Wade@Fedora-List)

Whatever this may be (a futex lock problem) ...
Comment 12 Nigel Wade 2004-05-04 05:13:41 EDT
This seems to be related to nscd. 

If nscd is running host resolution via ldap works, if nscd isn't
running it fails.

I didn't think nscd was a requirement for host resolution with ldap.
Comment 13 Herbert Gasiorowski 2004-05-05 05:32:12 EDT
starting nscd seems to solve this problem!
Comment 14 Herbert Gasiorowski 2004-05-07 02:25:47 EDT
nscd only helps if ldap is last (or after dns) in nsswitch.conf:

With "host: files ldap dns" ping will not return again and
nscd stops working!
Comment 15 Nigel Wade 2004-05-07 04:16:31 EDT
That isn't the case here. With 

hosts:      files ldap dns

I get host resolution via LDAP. I did have to restart nscd after
changing the entry in /etc/nsswitch.conf to include ldap.
Comment 16 Herbert Gasiorowski 2004-05-07 09:20:55 EDT
Ok: I finally got it (hopefully):

I missed that some libldap does a reverse lookup on the
ip number in ldap.conf (or the like).

So I need to add the ldap-server in /etc/hosts avoiding
the endless loop (and nscd so ping will not stop in futex).
Comment 17 Peter Leinen 2004-05-25 05:58:59 EDT
I run into the same problem.

With "hosts: files ldap dns" I cant get ping ans gethostip working.

The client and the ldapserver are in /etc/hosts.

Any hint?
Comment 18 Daryll 2004-09-09 15:27:22 EDT
This one burned me as well. It hangs on the futex

Running with a local ldap server.

/etc/ldap.conf says:
host 127.0.0.1

/etc/hosts has:
127.0.0.1 localhost

/etc/nsswitch has:
hosts: files ldap dns

So forward and reverse IPs resolve

I'm running FC1, but I upgraded to 217 just to make sure.

It would hang in the futex until I ran nscd, then it worked fine.

nscd shouldn't be required.
Comment 20 Matthew Miller 2006-07-11 13:42:02 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.

Thanks!

NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 21 John Thacker 2006-10-25 16:40:40 EDT
Closing per lack of response.  Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.

Sounds like upgrading nss_ldap fixed it, though.

Note You need to log in before you can comment on or make changes to this bug.