[Bug 1024475] Re: libnss-ldap causes boot hang on 12.04 precise, 14.04 trusty, 16.04 xenial
Juergen Scholz
1024475 at bugs.launchpad.net
Sun Dec 24 12:30:55 UTC 2017
I have upgraded a 16.04 system which worked/booted perfectly with
libnss-ldap being used by nsswitch for passwd, shadow and groups to
17.10. The system took a long time to boot, could not bring up
networking properly (running dhclient in 90 second intervals, possibly a
timeout) and could not start systemd-logind.
After using nss_initgroups_ignoreusers as stated by Graham Eames in #14
and adding a new line as suggested by Thomas Werschlein in #24, the
system started bhaving normally again.
You can use the following command, which I stole from stackexchange, to populate the nss_initgroups_ignoreusers paramter automatically:
#NSS_IGNOREUSERS="$(cut -d: -f1 /etc/passwd | sort | tr '\n' ',' | sed 's|,$||')"
#sed -i "s|^nss_initgroups_ignoreusers.*|nss_initgroups_ignoreusers ${NSS_IGNOREUSERS}|" /etc/ldap.conf
However you will have to add a new line afterwards!
In short: This issue affects 17.10, too.
Suggestion: libnss-ldap should have a paramter which makes it check the
passwd/group files and using names which are in there in the
nss_initgroups_ignoreusers paramter automatically. This should also be
the default configuration, since systemd is the default also.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/1024475
Title:
libnss-ldap causes boot hang on 12.04 precise, 14.04 trusty, 16.04
xenial
Status in libnss-ldap package in Ubuntu:
Confirmed
Bug description:
A configuration that works perfectly after setup prevents an Ubuntu
12.04 Precise client from booting.
Checks before rebooting:
1. winbind authentication is working (console login, xrdp, etc)
2. libnss-ldap name resolution is working (getent passwd)
(this is the intended setup)
After booting the default Grub option we see the machine hung without
printing anything.
Booting in recovery mode allows us to see that the last printed
message is:
Begin: Running /scrips/init-bottom ... done.
The problem IS related to libnss-ldap because if we boot via cdrom and
change nsswitch.conf to use local authentication the machine boots
again perfectly. We can then change it back to use local
authentication + ldap (compat ldap) and verify that it works. However
the system won't come up after rebooting.
Even though the nss_initgroups_ignoreusers is correctly setup there is
provavly some service that is trying to use ldap before networking is
available. The extra options (see below) intended to lower timeouts
seem to have no effect.
Configuration details:
/etc/ldap.conf
-----------------------------------
base dc=DOMAIN,dc=COM
binddn uid=ldapuser,ou=users,dc=DOMAIN,dc=COM
bindpw XXXXXYYYYZZZZ
ldap_version 3
uri ldap://192.168.1.8
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data,xrdp
/etc/nsswitch.conf
-----------------------------------
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
extra options tried on /etc/ldap.conf
-----------------------------------
timelimit 2
bind_timelimit 1
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 1
bind_policy soft
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnss-ldap/+bug/1024475/+subscriptions
More information about the foundations-bugs
mailing list