Description of problem: When using nss_ldap to authenticate against Active Directory w2k3R2 the following issue concurs when the Active Directory is down. You can not login on the console even when using root. Version-Release number of selected component (if applicable): 227 How reproducible: Std install redhat Linux: ldap.conf: #-- host be03ibm002iasw8.intra.local base dc=intra,dc=local uri ldap://be03ibm002iasw8.intra.local ldap_version 3 binddn cn=interdig,cn=Users,dc=intra,dc=local #bindpw {SSHA}tMLGH0XRRbqQuK7tunlVZKUy9mcOHYmH bindpw Fr1kandel #Hier komt later het SSL gedeelte ssl no scope sub #Active Directory Mappings geneuzel pam_password md5 pam_login_attribute sAMAccountName scope sub timelimit 30 nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass homeDirectory unixHomeDirectory #nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup group nss_map_attribute gecos name nss_map_attribute uniqueMember member nss_map_attribute userPassword authPassword nss_map_objectclass posixGroup group nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member nss_map_attribute uid sAMAccountName #nss_map_attribute uidNumber msSFU30UidNumber #nss_map_attribute gidNumber msSFU30GidNumber #nss_map_attribute loginShell msSFU30LoginShell nss_map_attribute userPassword msSFU30Password nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute cn cn #--- end of ldap.conf (changed part of )nsswitch.conf: #--- passwd: files ldap shadow: files ldap group: files ldap automount: files ldap #--- /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_tally.so deny=3 reset no_magic_root account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] / lib/security/$ISA/pam_ldap.so password required /lib/security/$ISA/pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 random=0 enforce=everyone password sufficient /lib/security/$ISA/pam_unix.so remember=6 use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so # /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INTRA.LOCAL #default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] INTRA.LOCAL = { kdc = 10.250.1.4:88 admin_server = 10.250.1.4:749 default_domain = INTRA.LOCAL } [domain_realm] .intra.local = be03ibm002iasw8.INTRA.LOCAL intra.local = be03ibm002iasw8.INTRA.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Steps to Reproduce: 1. create a user record on the AD, with UNIX atributes 2. test if this works 3. unplug AD / shutdown also good :-) Actual results: You can not login as root on the console, and as any other user Expected results: To be able to login as any local user Additional info: This is problem is gone after recompiling nss_ldap from padl and installed over it. Solution must be vendor supported..
I've faced a similar problem when using open ldap, if my ldap server is down I am unable to login via any local user on the console. The workaround I have is to change these in the /etc/nsswitch.conf: passwd: files [!NOTFOUND=return] ldap shadow: files [!NOTFOUND=return] ldap group: files [!NOTFOUND=return] ldap This seems to work for me. Tom
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.