Bug 345011 - no root login via console when AD is gone
Summary: no root login via console when AD is gone
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: nss_ldap
Version: 3.8
Hardware: i386
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-22 10:14 UTC by Antoine Adams
Modified: 2012-06-20 13:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:31:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Antoine Adams 2007-10-22 10:14:49 UTC 
Description of problem:

When using nss_ldap to authenticate against Active Directory w2k3R2 the following issue concurs when 
the Active Directory is down. You can not login on the console even when using root.


Version-Release number of selected component (if applicable):
227

How reproducible:

Std install redhat Linux:

ldap.conf:
#--
host be03ibm002iasw8.intra.local
base dc=intra,dc=local
uri  ldap://be03ibm002iasw8.intra.local 

ldap_version 3

binddn cn=interdig,cn=Users,dc=intra,dc=local
#bindpw {SSHA}tMLGH0XRRbqQuK7tunlVZKUy9mcOHYmH
bindpw Fr1kandel

#Hier komt later het SSL gedeelte
ssl no

scope sub

#Active Directory Mappings geneuzel
pam_password md5

pam_login_attribute sAMAccountName

scope sub
timelimit 30

nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass homeDirectory unixHomeDirectory
#nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup group
nss_map_attribute gecos name
nss_map_attribute uniqueMember member
nss_map_attribute userPassword authPassword
nss_map_objectclass posixGroup group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute userPassword msSFU30Password
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
#--- end of ldap.conf

(changed part of )nsswitch.conf:

#---
passwd:     files ldap
shadow:     files ldap
group:      files ldap
automount:  files ldap
#---

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_tally.so deny=3 reset no_magic_root
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /
lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 
random=0 enforce=everyone
password    sufficient    /lib/security/$ISA/pam_unix.so remember=6 use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

# /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INTRA.LOCAL
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 INTRA.LOCAL = {
  kdc = 10.250.1.4:88
  admin_server = 10.250.1.4:749
  default_domain = INTRA.LOCAL
 }

[domain_realm]
 .intra.local =  be03ibm002iasw8.INTRA.LOCAL
 intra.local =  be03ibm002iasw8.INTRA.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Steps to Reproduce:
1. create a user record on the AD, with UNIX atributes
2. test if this works
3. unplug AD / shutdown also good :-)
  
Actual results:

You can not login as root on the console, and as any other user


Expected results:

To be able to login as any local user

Additional info:

This is problem is gone after recompiling nss_ldap from padl and installed over it.
Solution must be vendor supported..
Comment 1 Thomas Ellis 2008-05-09 13:18:24 UTC 
I've faced a similar problem when using open ldap, if my ldap server is down I
am unable to login via any local user on the console.

The workaround I have is to change these in the /etc/nsswitch.conf:
passwd: files [!NOTFOUND=return] ldap
shadow: files [!NOTFOUND=return] ldap
group: files [!NOTFOUND=return] ldap

This seems to work for me.

Tom
Comment 2 Jiri Pallich 2012-06-20 13:31:49 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.
Note You need to log in before you can comment on or make changes to this bug.