Red Hat Bugzilla – Bug 174064
Root login fails with ldap in nsswitch.conf and newtork cable plugged out
Last modified: 2015-01-07 19:11:14 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Description of problem:
When we use ldap for passwd, shadow, group lookup in /etc/nsswitch.conf, the root user login to the virtual console fails with the network cable plugged out.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok audit debug
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow audit
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow audit
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so audit
passwd: files ldap
shadow: files ldap
group: files ldap
But surprisingly the login is successful when I remove ldap only for 'group' entry in /etc/nsswitch.conf (i.e. with 'group: files' only passwd, shadow still set to use ldap).
Ideally, ldap look up should not be done for local users. But I find that even under normal conditions, ldap lookup is done for local users - I confirmed this by snooping the network packets with ethereal. Even if it is so, with the network cable pulled out, at least nss_ldap should time out after 60 seconds (as per ldap.conf) and the login should succeed. I reduced the timelimit to even 1 and still it failed.
OS level="Red Hat Enterprise Linux ES release 4 (Nahant)"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use ldap for passwd, group, shadow in /etc/nsswitch.conf
2. Pull out the network cable
3. Login as root through the virtual console
Actual Results: Get an error message that 'login timedout after 60 seconds' and the prompt returns to "login:"
Expected Results: Root should have logged in successfully.
This is expected behavior -- group membership is additive, so it's valid for
users whose passwd entries originate from local files to be listed as members of
groups which are defined on the network, and vice-versa.
I think you're getting multiple requests to the directory server here, so even
with the timeouts you've defined, you're still exceeding the 60 second limit
because the time limits apply to each request. (I expect that a login via a
graphical desktop or sshd isn't going to hit a timeout.) Try a lower time
limit, which I think will improve the situation.
Closing as won't-fix because the additive-groups behavior isn't intended to change.
*** Bug 174100 has been marked as a duplicate of this bug. ***