Bug 167680 - nss_ldap or system-auth in pam.d aren't allowing local logins if ldap server is down
nss_ldap or system-auth in pam.d aren't allowing local logins if ldap server ...
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: anaconda (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Mike McLean
n/a
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-06 21:00 EDT by Michael Romero
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: 4.3.7-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-20 15:04:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Romero 2005-09-06 21:00:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
account cannot login when the LDAP server is not reachable.  I'm getting the following error when I try and login locally as root..

"Authentication service cannot retrieve authentication info."

This is strange because in nsswitch.conf, it says to try files beore ldap, meaning that if an account exists locally, allow it in and if the account doesn't exist locally, try the ldap server.  

Please tell me there is a fix for this ? :)

Version-Release number of selected component (if applicable):
nss_ldap = 207-15, pam = 0.75-64.  

How reproducible:
Always

Steps to Reproduce:
1.  Build rhel3.5as server through kickstart using "auth --enableldap --enableldapauth --ldapserver=<hostname> --ldapbasedn=dc=yourorg,dc=com"
2.  Ensure that the hostname you provide is not an active ldap server.
3.  After the server is built, attempt to login as root.

Actual Results:  I tried logging in as "root" ( a local account ) and was denied access with the following message...

"Authentication service cannot retrieve authentication info."

Expected Results:  I should have been allowed access to login as root which is a local account.

Additional info:

We are in the middle of a migration from static passwd/shadow/group files to an LDAP repository, and this is a huge hurdle for us.  If the LDAP server goes down, we still want people to be able to login using local accounts.  I'm suprised this wasn't noticed?
Comment 1 Nalin Dahyabhai 2005-09-07 13:46:48 EDT
Try adding "--enablelocalauthorize" to the set of options which you're passing
to the "auth" statement.  That should modify settings so that users such as root
can still log in.  Marking closed in the current release because IIRC authconfig
in U5 includes this option.
Comment 2 Michael Romero 2005-09-07 17:00:34 EDT
I added "--enablelocalauthorize" to the auth line in my kickstart config, now I 
get an error during kickstart anaconda that states that this is an unknown 
option.  More specifically...

TypeError: bad argument --enablelocalauthorize: unknown option

You mentioned that U5 includes this option, but I'm experiencing this issue 
with U5 (3.5).  Is this only an option when running the "authconfig" command 
and not when using the "auth" line in a kickstart.cfg ?
Comment 3 Michael Romero 2005-09-07 17:01:39 EDT
I added "--enablelocalauthorize" to the auth line in my kickstart config, now I
get an error during kickstart anaconda that states that this is an unknown
option.  More specifically...

TypeError: bad argument --enablelocalauthorize: unknown option

You mentioned that U5 includes this option, but I'm experiencing this issue with
U5 (3.5).  Is this only an option when running the "authconfig" command and not
when using the "auth" line in a kickstart.cfg ?
Comment 4 Michael Romero 2005-09-07 17:04:42 EDT
i just found out its "--enablelocauthorize" testing now..
Comment 5 Michael Romero 2005-09-07 17:11:47 EDT
while "--enablelocauthorize" is an option to the version of authconfig that
comes with 3.5, it doesn't seem to accept it as an option when passing it
through the "auth" line in kickstart.

shouldn't this be supported straight off of kickstart? or do i need to circle
back around and put the authconfig command in my post section?
Comment 6 Nalin Dahyabhai 2005-09-07 19:13:20 EDT
That the docs suggest the option is named "--enablelocauthorize" when it is
actually "--enablelocauthorize" looks like a bug in authconfig.  Anaconda also
apparently needs to be updated to recognize one or the other as an argument in
kickstart.

In the interim, you can omit it from the kickstart section, and call authconfig
directly in the %post section like so:
  authconfig --kickstart --enableldap --enableldapauth --ldapserver=<hostname>
--ldapbasedn=dc=yourorg,dc=com --enablelocauthorize
Comment 7 Nalin Dahyabhai 2005-09-07 19:21:39 EDT
My mistake: I was going off of the package changelog in naming the option.  I
assume you read the output of "authconfig --help", which gave you the correct name.
Comment 8 Michael Romero 2005-09-07 19:29:29 EDT
yep, authconfig --help.  so theres a disconnect between the options available in
authconfig, and the options available through anaconda's "auth" command it seems?
Comment 9 Jeremy Katz 2005-09-07 20:13:54 EDT
anaconda in RHEL[34] doesn't pass through unrecognized options.  In the future
(FC5 and RHEL5), we just pass the arguments directly to authconfig --kickstart
to avoid having to update as new options are added. 
Comment 10 Michael Romero 2005-09-07 21:09:10 EDT
that doesn't match what i'm seeing here.  we are running rhel 3.5 and tried
passing off the --enablelocauthorize flag in the "auth" line of our kickstart
config to anaconda and I got back the message stating that --enablelocauthorize
was an invalid option.
Comment 11 Tomas Mraz 2005-09-08 02:42:20 EDT
'anaconda in RHEL[34] doesn't pass through unrecognized options' is exactly what
you see.
Reassigning to anaconda.
Comment 12 Chris Lumens 2005-10-20 15:04:20 EDT
This problem is resolved in the next release of Red Hat Enterprise Linux. Red
Hat does not currently plan to provide a resolution for this in a Red Hat
Enterprise Linux update for currently deployed systems.  anaconda will handle
the authconfig line as a string and pass it straight to the program.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects

Note You need to log in before you can comment on or make changes to this bug.