OpenLDAP/SSH : sshd[1414]: fatal: login_get_lastlog: Cannot find account for uid 1000

[O. Hartmann]

Since several months after a upgrade from OpenLDAP 2.4.11 to the most
recent one I have trouble login in on machines which authenticate users
via OpenLDAP.

The OpenLDAP server is at the momen a FreeBSD 7.2 box running most
recent OpenLDAP from ports. The follwoing is also true for each OpenLDAP
2.4.16 I've running on most recent FreeBSD 8.0-CURRENT boxes.

I can't login via ssh anymore! For first circumvention of the problem I
installed local users, so I can login via them.

Here what I can and what not:

I can enumerate each user in the OpenLDAP DIT via id I wish
I can use the OpenLDAP server to login on a samba share
I can 'su' to users having their account stuff in the OpenLDAP DIT

Whenever I (or any other user) try to login to a host which does
PAMyfied authentication to LDAP servers (whihc worked weeks ago
perfectly), I (or he) gets this:

sshd[1414]: fatal: login_get_lastlog: Cannot find account for uid 1000

Loggin the console messages on the server shows this:

sshd[482]: nss_ldap: could not search LDAP server - Server is unavailable

sshd[482]: fatal: login_get_lastlog: Cannot find account for uid 1000

I tried to reconfigure /etc/ssh/sshd_config on the host side, restored
it with a version that worked long before and then tried to reconfigure
it by scratch, beginning from default. No success.
Due to the fact other services can autheticate without problems via
LDAP, this must have to do with SSH and/or the way it is implemented in
FreeBSD.

Please help.

Regards,
Oliver

[Ivan Voras]

O. Hartmann wrote:
> Since several months after a upgrade from OpenLDAP 2.4.11 to the most
> recent one I have trouble login in on machines which authenticate users
> via OpenLDAP.
>

I've just installed a fresh machine with FreeBSD 7.2 amd64 and OpenLDAP
2.4.latest and it works. The only difference might be that I'm using nscd.

Have you modified /etc/pam.d files?

[Ruben de Groot]

On Fri, Apr 24, 2009 at 12:34:01PM +0200, Ivan Voras typed:

I had a problem with nss_ldap and openldap over ssl. This patch fixed it:

http://www.freebsd.org/cgi/query-pr.cgi?pr=133501&cat=ports

Ruben

[Kostik Belousov]

[Removed questions]

Actually, bug reports against threading library in 7.0/7.1 should
be rechecked against upcoming 7.2, since libthr got a complete sync
with HEAD. In particular, several issues were fixed that are related
to fork and threads interaction.

If the issue is still present in 7.2, then the best way to start some
progress is to get isolated failing test case for libthr.

[O. Hartmann]

The problem I specifically mentioned affects the same way a pure FreeBSD
8.0-CURRENT/amd64 installation and is identical to that what I see with
FreeBSD 7.2-STABLE.

I change the order of look-for-targets in /etc/nsswitch.conf:

previously not working and triggering issues I reported:

group: files ldap
passwd: files ldap

working after exchanging order:

group: ldap files
passwd: ldap files

This is weird! After I changed that, the first attempt issuing the
passowrd now takes 20 seconds to respond even for local users, if I hit
return for the first passwd-attempt and issuing the passd on second
attempt runs immediately towards expected login.

Intention of having first files looked up was: sometimes LDAP is dead or
we make tests and can not reach LDAP, so we need to login via local
stored users. Having first LDAP consulted makes a login a desaster:
after a minute some boxes cancel login attempt caused by timeout. That's
fun.

Even with

passwd: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]
group: ldap [unavail=continue notfound=continue] files [success=return
notfound=return]

it fails. There is something wrong, not specifically with 7.2.

Oliver