From nobody@FreeBSD.org  Sun Jan 15 00:29:18 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 11EB116A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 Jan 2006 00:29:18 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C9FD143D45
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 Jan 2006 00:29:17 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0F0THeK061573
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 Jan 2006 00:29:17 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0F0THGV061572;
	Sun, 15 Jan 2006 00:29:17 GMT
	(envelope-from nobody)
Message-Id: <200601150029.k0F0THGV061572@www.freebsd.org>
Date: Sun, 15 Jan 2006 00:29:17 GMT
From: Sean McNeil <sean@mcneil.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: net/nss_ldap broken with getpwuid*
X-Send-Pr-Version: www-2.3

>Number:         91806
>Category:       ports
>Synopsis:       net/nss_ldap broken with getpwuid*
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 15 00:30:10 GMT 2006
>Closed-Date:    Tue May 30 18:51:36 GMT 2006
>Last-Modified:  Tue May 30 18:51:36 GMT 2006
>Originator:     Sean McNeil
>Release:        6-STABLE
>Organization:
>Environment:
FreeBSD triton.mcneil.com 6.0-STABLE FreeBSD 6.0-STABLE #16: Fri Jan 13 12:46:06 PST 2006     root@triton.mcneil.com:/usr/obj/usr/src/sys/TRITON  amd64

>Description:
Recent update of nss_ldap breaks getpwuid* routines.  This is evident with sshd.  Attempting to

ssh localhost
Password:
Connection to localhost closed by remote host.
Connection to localhost closed.

sshd[]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[]: fatal: login_get_lastlog: Cannot find account for uid 501

Reverting to previous version fixes the problem.

>How-To-Repeat:
attempt to ssh to localhost.

>Fix:
Revert to previous version.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->nectar 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sun Jan 15 00:32:27 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91806 
Responsible-Changed-From-To: nectar->freebsd-ports-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Mar 24 05:48:39 UTC 2006 
Responsible-Changed-Why:  
Reset assignee; nectar is away from FreeBSD work at the moment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91806 

From: Andrey Slusar <anray@freebsd.org>
To: bug-followup@freebsd.org, sean@mcneil.com
Cc:  
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Tue, 28 Mar 2006 01:50:02 +0300

 This problem is reproduce on the new nss_ldap-1.249?
 
 -- 
 Andrey Slusar <anrays@gmail.com>
               <anray@FreeBSD.org>

From: Sean McNeil <sean@mcneil.com>
To: Andrey Slusar <anray@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Mon, 27 Mar 2006 14:56:27 -0800

 On Tue, 2006-03-28 at 01:50 +0300, Andrey Slusar wrote:
 > This problem is reproduce on the new nss_ldap-1.249?
 
 I have downgraded my openldap server/client to 2.2.30 to avoid this
 problem.  I will attempt to test with 2.3.19 over the weekend and let
 you know.
 
 
 

From: Sean McNeil <sean@mcneil.com>
To: Andrey Slusar <anray@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Sun, 02 Apr 2006 15:19:59 -0700

 On Tue, 2006-03-28 at 01:50 +0300, Andrey Slusar wrote:
 > This problem is reproduce on the new nss_ldap-1.249?
 
 Sorry, this problem is still reproducible with nss_ldap-1.249.  I didn't
 look at the report carefully enough to notice:
 
 with nss_ldap-1.249 and "ssh locahost"...
 
 Apr  2 15:12:03 triton sshd[15391]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 55042 ssh2
 Apr  2 15:12:03 triton sshd[15391]: nss_ldap: could not search LDAP server - Server is unavailable
 Apr  2 15:12:03 triton sshd[15391]: fatal: login_get_lastlog: Cannot find account for uid 501
 Apr  2 15:12:03 triton sshd[15391]: syslogin_perform_logout: logout() returned an error
 
 with older version...
 
 Apr  2 15:15:11 triton sshd[23011]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 58650 ssh2
 Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnecting to LDAP server...
 Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
 
 ssh fails with nss_ldap 1.249 and succeeds with older version.
 
 

From: Andrey Slusar <anray@freebsd.org>
To: Sean McNeil <sean@mcneil.com>
Cc: bug-followup@freebsd.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Mon, 03 Apr 2006 01:40:16 +0300

 Sun, 02 Apr 2006 15:19:59 -0700, Sean McNeil wrote:
 
 > > This problem is reproduce on the new nss_ldap-1.249?
 
 > Sorry, this problem is still reproducible with nss_ldap-1.249.  I didn't
 > look at the report carefully enough to notice:
 
 > with nss_ldap-1.249 and "ssh locahost"...
 
 > Apr  2 15:12:03 triton sshd[15391]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 55042 ssh2
 > Apr  2 15:12:03 triton sshd[15391]: nss_ldap: could not search LDAP server - Server is unavailable
 > Apr  2 15:12:03 triton sshd[15391]: fatal: login_get_lastlog: Cannot find account for uid 501
 > Apr  2 15:12:03 triton sshd[15391]: syslogin_perform_logout: logout() returned an error
 
 > with older version...
 
 > Apr  2 15:15:11 triton sshd[23011]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 58650 ssh2
 > Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnecting to LDAP server...
 > Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
 
 > ssh fails with nss_ldap 1.249 and succeeds with older version.
 
  "Older version" is 1.239?
 
 -- 
 Andrey Slusar <anrays@gmail.com>
               <anray@FreeBSD.org>

From: Sean McNeil <sean@mcneil.com>
To: Andrey Slusar <anray@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Sun, 02 Apr 2006 15:53:28 -0700

 On Mon, 2006-04-03 at 01:40 +0300, Andrey Slusar wrote:
 > Sun, 02 Apr 2006 15:19:59 -0700, Sean McNeil wrote:
 > 
 > > > This problem is reproduce on the new nss_ldap-1.249?
 > 
 > > Sorry, this problem is still reproducible with nss_ldap-1.249.  I didn't
 > > look at the report carefully enough to notice:
 > 
 > > with nss_ldap-1.249 and "ssh locahost"...
 > 
 > > Apr  2 15:12:03 triton sshd[15391]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 55042 ssh2
 > > Apr  2 15:12:03 triton sshd[15391]: nss_ldap: could not search LDAP server - Server is unavailable
 > > Apr  2 15:12:03 triton sshd[15391]: fatal: login_get_lastlog: Cannot find account for uid 501
 > > Apr  2 15:12:03 triton sshd[15391]: syslogin_perform_logout: logout() returned an error
 > 
 > > with older version...
 > 
 > > Apr  2 15:15:11 triton sshd[23011]: Accepted keyboard-interactive/pam for sean from 127.0.0.1 port 58650 ssh2
 > > Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnecting to LDAP server...
 > > Apr  2 15:15:11 triton sshd[23011]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
 > 
 > > ssh fails with nss_ldap 1.249 and succeeds with older version.
 > 
 >  "Older version" is 1.239?
 
 Correct.  1.239 is the last working version for me.
 
 

From: Sergey Matveychuk <sem@FreeBSD.org>
To: bug-followup@FreeBSD.org,  sean@mcneil.com
Cc:  
Subject: Re: ports/91806: net/nss_ldap broken with getpwuid*
Date: Sun, 16 Apr 2006 23:00:25 +0400

 Have you tried to report this to nss_ldap developers?
 
 -- 
 Dixi.
 Sem.

From: "Thomas Sandford" <thomas@paradisegreen.co.uk>
To: <bug-followup@FreeBSD.org>,
	<sean@mcneil.com>
Cc:  
Subject: Re: ports/91806: net/nss_ldap broken with getpwuid*
Date: Fri, 28 Apr 2006 12:16:05 +0100

 I'm not sure if this is related, but following a recent crash (prior to 
 which my box had run without problems for many months) I have been having 
 similar problems.
 
 I have:
 almaz# portversion -v
 ...
 nss_ldap-1.239              <  needs updating (port has 1.249)
 openldap-client-2.3.19      <  needs updating (port has 2.3.21)
 openldap-server-2.3.19      <  needs updating (port has 2.3.21)
 ...
 
 almaz# cat /etc/nsswitch.conf
 # group: compat
 group: files ldap
 group_compat: nis
 hosts: files dns
 networks: files
 # passwd: compat
 passwd: files ldap
 passwd_compat: nis
 shells: files
 almaz# uname -v
 FreeBSD 5.4-RELEASE #0: Sun May 15 12:31:08 BST 2005 
 root@almaz.paradisegreen.co.uk:/usr/src/sys/i386/compile/SMP
 
 What I find is that immediately after reboot, neither cron nor sshd are able 
 to read user data via nss.
 
 eg:
 almaz# cat /var/log/auth.log
 # reboot occurred here
 Apr 26 09:42:00 almaz sshd[477]: Server listening on :: port 22.
 Apr 26 09:42:00 almaz sshd[477]: Server listening on 0.0.0.0 port 22.
 # attempt to log in (correct user/password) via ssh
 Apr 26 10:19:29 almaz sshd[2683]: Illegal user tdgsandf from 10.0.0.6
 Apr 26 10:19:29 almaz sshd[2684]: input_userauth_request: illegal user 
 tdgsandf
 Apr 26 10:19:31 almaz sshd[2683]: Failed unknown for illegal user tdgsandf 
 from
 10.0.0.6 port 3559 ssh2
 # run "/etc/rc.d/sshd restart"
 Apr 26 10:20:46 almaz sshd[477]: Received signal 15; terminating.
 Apr 26 10:20:46 almaz sshd[2721]: Server listening on :: port 22.
 Apr 26 10:20:46 almaz sshd[2721]: Server listening on 0.0.0.0 port 22.
 # and try and log in again
 Apr 26 10:21:09 almaz sshd[2722]: Accepted keyboard-interactive/pam for 
 tdgsandf
  from 10.0.0.6 port 3560 ssh2
 Apr 26 10:21:09 almaz sshd[2722]: nss_ldap: reconnecting to LDAP server...
 Apr 26 10:21:09 almaz sshd[2722]: nss_ldap: reconnected to LDAP server after 
 1 a
 ttempt(s)
 ...
 
 Similarly:
 almaz# cat /var/log/cron
 # some time after a reboot
 Apr 28 11:22:00 almaz /usr/sbin/cron[33972]: (operator) CMD 
 (/usr/libexec/save-e
 ntropy)
 # one error for each LDAP user's crontab
 Apr 28 11:22:00 almaz cron[33972]: NSSWITCH(nss_method_lookup): ldap, group, 
 set
 grent, not found
 Apr 28 11:22:00 almaz cron[33972]: NSSWITCH(nss_method_lookup): ldap, group, 
 get
 grent_r, not found
 Apr 28 11:22:00 almaz cron[33972]: NSSWITCH(nss_method_lookup): ldap, group, 
 end
 grent, not found
 Apr 28 11:22:00 almaz cron[33972]: NSSWITCH(nss_method_lookup): ldap, 
 passwd, en
 dpwent, not found
 Apr 28 11:25:00 almaz /usr/sbin/cron[34121]: (root) CMD (/usr/libexec/atrun)
 Apr 28 11:25:00 almaz cron[34121]: NSSWITCH(nss_method_lookup): ldap, group, 
 set
 grent, not found
 Apr 28 11:25:00 almaz cron[34121]: NSSWITCH(nss_method_lookup): ldap, group, 
 get
 grent_r, not found
 Apr 28 11:25:00 almaz cron[34121]: NSSWITCH(nss_method_lookup): ldap, group, 
 end
 grent, not found
 Apr 28 11:25:00 almaz cron[34121]: NSSWITCH(nss_method_lookup): ldap, 
 passwd, en
 dpwent, not found
 # run "/etc/rc.d/cron restart"
 # and now all crontabs processed OK
 Apr 28 11:30:00 almaz /usr/sbin/cron[34455]: (root) CMD (/usr/libexec/atrun)
 Apr 28 11:33:00 almaz /usr/sbin/cron[34490]: (operator) CMD 
 (/usr/libexec/save-e
 ntropy)
 
 Somehow nss_ldap seems not to be working correctly immediately after boot, 
 and daemons which started before it was running correctly can _never_ pick 
 up information through it until they are restarted.
 
 But it looks as though this may be LDAP version rather than nss_ldap version 
 related since my nss_ldap version is unchanged for some time.
 
 -- 
 Thomas Sandford 
 
 

From: "Thomas Sandford" <thomas@paradisegreen.co.uk>
To: <bug-followup@FreeBSD.org>,
	<sean@mcneil.com>
Cc:  
Subject: Re: ports/91806: net/nss_ldap broken with getpwuid*
Date: Fri, 28 Apr 2006 18:25:33 +0100

 ...
 
 and I think my previous comment may be the clue. I suspect this is an 
 rcorder issue.
 
 I just did another reboot, and observed that sshd is starting before slapd.
 
 Needs further investigation, but I think this one os worth following up.
 
 -- 
 Thomas Sandford 
 
 

From: Artem Kazakov <kazakov@gmail.com>
To: bug-followup@FreeBSD.org, sean@mcneil.com
Cc:  
Subject: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Thu, 11 May 2006 14:15:58 +0900

 Hello! 
 
 Sean McNeil <sean@mcneil.com>:
 > Recent update of nss_ldap breaks getpwuid* routines.  This is evident with sshd.  Attempting to
 > 
 > ssh localhost
 > Password:
 > Connection to localhost closed by remote host.
 > Connection to localhost closed.
 > 
 > sshd[]: nss_ldap: could not search LDAP server - Server is unavailable
 > sshd[]: fatal: login_get_lastlog: Cannot find account for uid 501
 > 
 > Reverting to previous version fixes the problem.
 
 Could you please check your nss_ldap.conf file? 
 It looks like, if you set 
 bind_policy soft
 nss_ldap stops working. I do not know the details yet, but I faced the same problem. 
 If you change bind_poicy to hard (as it is by default) everything should work. 
 
 Regards.
 Artem Kazakov.
 
 
 

From: Sean McNeil <sean@mcneil.com>
To: Artem Kazakov <kazakov@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Wed, 10 May 2006 23:01:23 -0700

 On Thu, 2006-05-11 at 14:15 +0900, Artem Kazakov wrote:
 > Hello! 
 > 
 > Sean McNeil <sean@mcneil.com>:
 > > Recent update of nss_ldap breaks getpwuid* routines.  This is evident with sshd.  Attempting to
 > > 
 > > ssh localhost
 > > Password:
 > > Connection to localhost closed by remote host.
 > > Connection to localhost closed.
 > > 
 > > sshd[]: nss_ldap: could not search LDAP server - Server is unavailable
 > > sshd[]: fatal: login_get_lastlog: Cannot find account for uid 501
 > > 
 > > Reverting to previous version fixes the problem.
 > 
 > Could you please check your nss_ldap.conf file? 
 > It looks like, if you set 
 > bind_policy soft
 > nss_ldap stops working. I do not know the details yet, but I faced the same problem. 
 > If you change bind_poicy to hard (as it is by default) everything should work. 
 
 Indeed, this is exactly the problem I have.  Commenting out my setting
 of "bind_policy soft" allows ssh to function once again.
 
 Thanks,
 Sean
 
 

From: Sean McNeil <sean@mcneil.com>
To: Artem Kazakov <kazakov@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Thu, 11 May 2006 16:28:14 -0700

 On Wed, 2006-05-10 at 23:01 -0700, Sean McNeil wrote:
 > On Thu, 2006-05-11 at 14:15 +0900, Artem Kazakov wrote:
 > > Hello! 
 > > 
 > > Sean McNeil <sean@mcneil.com>:
 > > > Recent update of nss_ldap breaks getpwuid* routines.  This is evident with sshd.  Attempting to
 > > > 
 > > > ssh localhost
 > > > Password:
 > > > Connection to localhost closed by remote host.
 > > > Connection to localhost closed.
 > > > 
 > > > sshd[]: nss_ldap: could not search LDAP server - Server is unavailable
 > > > sshd[]: fatal: login_get_lastlog: Cannot find account for uid 501
 > > > 
 > > > Reverting to previous version fixes the problem.
 > > 
 > > Could you please check your nss_ldap.conf file? 
 > > It looks like, if you set 
 > > bind_policy soft
 > > nss_ldap stops working. I do not know the details yet, but I faced the same problem. 
 > > If you change bind_poicy to hard (as it is by default) everything should work. 
 > 
 > Indeed, this is exactly the problem I have.  Commenting out my setting
 > of "bind_policy soft" allows ssh to function once again.
 
 bind_policy hard is just unacceptable to me as it causes my system
 startup to be horrendous.  Playing around with nss_ldap.conf offered
 another solution for me that works:
 
 bind_policy soft
 nss_connect_policy oneshot
 
 For some reason, persistent connections is messing up sshd.  I'm happy
 with the oneshot, though, and I'll stick with these options.
 
 Cheers,
 Sean
 
 

From: Andrey Slusar <anrays@gmail.com>
To: bug-followup@FreeBSD.org, sean@mcneil.com
Cc:  
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Tue, 30 May 2006 11:12:13 +0300

 Please, try new port version(1.250) - nss_ldap maintainer inform me -
 "in version 1.250 this bug is fixed".
 
 -- 
 Andrey Slusar <anrays@gmail.com>
               <anray@FreeBSD.org>
State-Changed-From-To: open->feedback 
State-Changed-By: anray 
State-Changed-When: Tue May 30 17:12:57 UTC 2006 
State-Changed-Why:  
Waiting for submitters feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91806 

From: Sean McNeil <sean@mcneil.com>
To: Andrey Slusar <anrays@gmail.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/91806 : net/nss_ldap broken with getpwuid*
Date: Tue, 30 May 2006 11:38:39 -0700

 On Tue, 2006-05-30 at 11:12 +0300, Andrey Slusar wrote:
 > Please, try new port version(1.250) - nss_ldap maintainer inform me -
 > "in version 1.250 this bug is fixed".
 
 Yes, this indeed appears to be fix now.  Thank you.  You can go ahead
 and close the bug report.
 
 Cheers,
 Sean
 
 
State-Changed-From-To: feedback->open 
State-Changed-By: anray 
State-Changed-When: Tue May 30 18:50:53 UTC 2006 
State-Changed-Why:  
Feedback received. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91806 
State-Changed-From-To: open->closed 
State-Changed-By: anray 
State-Changed-When: Tue May 30 18:51:34 UTC 2006 
State-Changed-Why:  
Fixed in 1.250 port version. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91806 
>Unformatted:
