authconfig also adds a similar entry for Kerberos if kerberos is setup.

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_krb5.so

root access is denied at the console when that line exists in the system-auth
file. root is not an account defined in Kerberos. I have another account on the
system which is also not defined in kerberos but this account can login.

Also, this prevents use of sudo to access root (I get an Incorrect password from
su when I try to execute /usr/bin/sudo /bin/su - )

Only by commenting out that line can I allow root access to the console and also
allow root access from sudo.

I confirm this problem exists with 7.3 as well.

The problem might be though with pam package though, not with ldap. See
discussion at
http://www.netsys.com/pamldap/2002/04/msg00026.html

I've seen this behavior since 7.1 or 7.2.  nsswitch is being totally ignored
when it comes to ldap authentication

This is still a problem in the current beta of 8.1

See also:

Bug 71546: ldap for user files always used, regardless of nsswitch.conf
Bug 66682: nis for user files always used, regardless of nsswitch.conf
Bug 58562: nis for host files always used, regardless of nsswitch.conf

Oops, that should be

Bug 58568: nis for host files always used, regardless of nsswitch.conf

I am using the "ass" map... it is obvious that redhat does not really even use
/etc/nsswitch.conf except maybe for gethostbyname type lookups... it still
allows me to finger and login from remote (and I tried logging in with a user
account that has never logged into this machine since it was built so its not nscd)


[root@cookies root]# finger -m tommy
Login: tommy                            Name: Tommy McNeely
Directory: /home/tommy                  Shell: /bin/bash
On since Fri Dec 20 23:25 (MST) on tty1     16 days 22 hours idle
Last login Mon Jan  6 13:41 (MST) on pts/12 from pickles.local.redneck.nu
No mail.
No Plan.
[root@cookies root]# grep passwd /etc/nsswitch.conf
#passwd:    db files nisplus nis
passwd:     ass



Tommy

sorry... itchy trigger finger .. here is a "working" example on another OS

I assure you the below users are valid either in LDAP or local (for root)

[root@icecream root]# finger tommy
Login name: tommy                       In real life: ???
[root@icecream root]# finger scott
Login name: scott                       In real life: ???
[root@icecream root]# finger jeff
Login name: jeff                        In real life: ???
[root@icecream root]# finger root
Login name: root                        In real life: ???


[root@icecream root]# grep ^passwd /etc/nsswitch.conf
passwd:         ass

[root@icecream root]# uname -a
SunOS icecream 5.9 Generic_112233-01 sun4u sparc SUNW,Ultra-5_10


:p

There's been quite a lot of discussion about this on nss_ldap mailing list, for
example see http://www.netsys.com/nssldap/2002/06/msg00029.html. Suggested fix
is (a) use an LDAP client library with adjustable connect timeout and (b) adjust
that timeout appropriately to "maximise the user experience".

Created attachment 93042 [details]
Patch to /etc/pam.d/system-auth which fixes the local login problems if the LDAP server for authentication is not accessible

Same patch as in #63717

This appears to be fixed in severn / rawhide.... If I pull the network cable on
my LDAP client system, then boot it, I can still log in using my root account
from /etc/passwd && /etc/shadow

Yes, the above patch fixes the problem, thank you.
However, the "authconfig" program still messes up the file
/etc/pam.d/system-auth if ldap is chosen. 
authconfig needs to be fixed. 

So, should this be marked as a duplicate of bug #55193 (the "fix
authconfig" bug)?

*** This bug has been marked as a duplicate of 55193 ***