Red Hat Bugzilla – Bug 440067
local logins fail on hosts configured with ipa-client-install when ipa server is down
Last modified: 2015-01-04 18:31:33 EST
Description of problem:
On hosts that have been configured with ipa-client-install, if the ipa server is
down, local logins fail. This is because the login is timing out on the
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install/configure ipa-server and a host on the same network with ipa-client
2. Shut down ipa server
3. Try logging in on the console of the host configured with the ipa-client
The root login will time out after a long delay
local users should be allowed to login even if the ldap/ipa server is down
Solution (suggested by Simo Sorce) is to set /etc/ldap.conf to have sane timeout
values. We tried:
And logins are delayed for a second or two while the ldap server query is
attempted, but then the local auth works and the login succeeds.
I was thinking more about the general problem and I think the following
parameter alone might be enough:
can you test and see if this helps ?
That works for users that are specified in the list, but the entire contents of
the local /etc/passwd file would need to be put in this list so that users like
apache, haldaemon, dbus and etc are ignored as well. Otherwise, booting causes
these services to hang indefinitely.
This is what I am probably going to set by default:
I am not going to set other users in there, I am probably rather going to
activate nscd by default, but these options alone should make the issue a lot
more bearable by themselves.
After all we are talking about a failure mode where no servers are available at all.
I added a bit of a note about this here, adding that it only happens as part of
I'm wondering if we should include what the defaults are for reference, rather
than sending admins to a RHEL or Fedora box to retrieve them and add them to
whatever OS they are configuring (they might only have non-RHEL clients).
One other data point: I just came from debugging this same issue on a VM running
FreeIPA server (which installs the client as well I guess). For some reason the
network on this VM did not come up in an orderly fashion, with the result that I
couldn't log into the box at all. Adding the lines above (after having rebooted
to single user mode) not only allowed me to log in, it seemed to fix the network
issue as well (although truthfully I'm not convinced the networking issue had
anything to do with the login issue, might have been sheer luck).