Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 291401

Summary: cannot authenticate against active directory with nss-ldap
Product: Red Hat Enterprise Linux 5 Reporter: Dominic Lepiane <dominicl>
Component: nss_ldapAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: dpal, etzion.bar-noy, jplans, sputhenp
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-05 19:32:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Installation notes none

Description Dominic Lepiane 2007-09-14 18:15:20 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Description of problem:
After configuring RHEL5 server to use Windows 2003 Active Directory servers for user authentication, certain processes usually hang when I try to get user info.  I am just using pam-ldap and nss-ldap so my nsswitch.conf has "files ldap".  I will attach my configuration notes, they are fairly exhaustive.

Version-Release number of selected component (if applicable):
nss_ldap-253-3

How reproducible:
Always


Steps to Reproduce:
(see attached)

Actual Results:
id <username> hangs, 100% cpu utilization, no output
nscd also goes up to 100% cpu utilization
sshd process for user log hangs when user tried to login (after they provide uid)
getent passwd and getent passwd <username> both work

Expected Results:
id <username> should immediately return user info (homedir, shell, etc)

Additional info:
selinux now disabled, nscd off, nothing comes up in syslog.  Some users I can get "id" info back right away, some take time, but most just don't return.
Comment 1 Dominic Lepiane 2007-09-14 18:16:05 UTC 
Created attachment 196061 [details]
Installation notes
Comment 2 Dominic Lepiane 2007-09-14 18:17:09 UTC 
System is RHEL 5, all updates
Linux 2.6.18-8.1.10.el5 #1 SMP Thu Aug 30 20:43:28 EDT 2007 x86_64 x86_64 x86_64
GNU/Linux
2 x Xeon dual-core (4 cores total)
4 GB ram
Comment 3 Dominic Lepiane 2007-09-14 18:24:08 UTC 
I've seen mention of bindpolicy soft vs. hard, non-existant "nvram" group, and
comments about using a non-SMP kernel but with various random platforms... I
just don't see anything in syslog and I am getting as far as getting getent
passwd working so this really seems like a bug of some sort.
Comment 4 Etzion Bar-Noy 2009-06-05 18:04:56 UTC 
I was able to reproduce this problem on RHEL5.2 and RHEL5.3 with the same configuration as used by RHEL4.
On RHEL4 it is working correctly, while on RHEL5 CPU utilization is sky-high. 
I attempted some tcpdump on the session to find it queries the DC and does not get answer.

The problem disappeared when I entered "ldap_version 2" to /etc/ldap.conf and waited for a short while (killing all processes using 100% CPU)
Comment 5 Nalin Dahyabhai 2010-05-04 22:44:19 UTC 
That this doesn't trigger a problem with "ldap_version 2" suggests that this might be related to referral processing, which isn't something the client even tries to do unless ldap_version is set to (or left at the default value of) 3.

The 5.5 build links with a newer version of openldap that fixed a few things in this area (notably #472920).  Does it make a difference here?

As an aside, you may want to try setting "nss_initgroups backlink" in ldap.conf to make use of the group membership information AD prefers clients use -- there's a good chance it'll be faster.
Comment 6 Dominic Lepiane 2010-05-04 23:39:50 UTC 
It's been a while and I don't remember the work-around, but I've been using "referrals no".  I tried removing "referrals no" which definitely used to give me problems, and it works fine now (nss_ldap-253-22.el5_4).  So maybe this is fixed?  I have also been using different attribute mappings than what's been provided with the stock config in the past.

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute gecos name
nss_map_attribute cn sAMAccountName
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User

Everything else is fairly stock / generic.  System config otherwise works with authconfig.

I just tried adding the nss_initgroups backlink as well.  This does not appear to have significant impact for our site.

Thanks
Comment 7 Dmitri Pal 2010-05-05 19:32:24 UTC 
It seems that the problem is addressed in the later versions of the nss_ldap.
Closing the bug.