Ubuntu
libnss-ldap package

nscd: nss_ldap: server is unavailable

Bug #237115 reported by Nick Barcet
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu
Invalid
Undecided
Unassigned
libnss-ldap (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: libnss-ldapd

Since Hardy's release, when doing e kerberos connexion, a refusal to open a gdm session may occur. Error message in gdm is : "The system administrator had temporarily disabled connexion to this system". In auth.log: "nscd: nss_ldap: server is unavailable"

The problem occurs in the "account" phase, when the user account information is beng pulled. The kerberos authentication is successful but the user is not know by the system.

when this occurs, from another session we can do a:
# getent passwd user_having_issue
and we do not get a reply. After a certain time lapse, without any change to the setup, the user becomes known again.
Note: during this period, other users are tested and work succesfully, which shows that the ldap server does function properly.

To understand the issue better, a network trace was done and it can be seen that on the TCP connexion use by the request
1- earlier: the LDAP server sent a end tcp session packet (FIN)
2- nssldap sends back an ACK
3- nssldap continues on using this connexion that he acknoledged closing

To try to go around the issue, it was tried to configure nsslap to not use persistent connexion (ldap.conf : nss_connect_policy oneshot), but once this is applied and the client rebooted, then gdm crashes consistently at each authentication try (clearly identified in syslog). The crash goes away after restoring the original config (nss_connect_policy persist).

Revision history for this message
Arthur de Jong (adejong) wrote :

The log message is from nss_ldap, not from nss-ldapd, reassigning this bugreport.

Revision history for this message
Jelmer Jaarsma (jelmer-jaarsma) wrote :

I'm having this problem as well, although for me it's not limited to GDM (not sure if it is for the reporter).

auth.log has this entry when the problem is exhibited:
Jul 15 15:20:43 ******** nscd: nss_ldap: could not search LDAP server - Server is unavailable

Symptoms:
A lookup on the current user will fail, resulting in several problems: Not able to lock the desktop (dbus connection seems to fail), not able to use gnome-terminal (it will report the user as "I have no name" and shout "You don't exist, please go away!" at every command)

Our system setup:
libnss-ldap for passwd/shadow/group lookups in Active Directory (Windows Server 2003-R2 / 2008)
libpam-krb5 for authentication

libnss-ldap uses a dedicated user when called as root (rootbinddn/passwd) and when called as mortal user it uses sasl for kerberos authenticated ldap lookups)

Revision history for this message
Munroe (sollog) wrote :

I would like to confirm this bug, or at least corroborate it. I am running a fresh install of debian lenny (testing) up-to-date as of Oct 15th 2008

dpkg -l |grep libnss

ii libnss-ldap 261-2 NSS module for using LDAP as a naming servic

Connecting to an Active Directory domain (w2k3 r2) yielded slow and spotty successful returns. with a lot of:

nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldap://<ad.server.fqdn> after 1 attempt
nss_ldap: reconnecting to LDAP server...
nss_ldap: reconnected to LDAP server ldap://<ad.server.fqdn> after 1 attempt

This would be logged by anything service trying to connect to LDAP (nscd, imapd, smtpd, etc...)
by changing:

nss_connect_policy persist

to

nss_connect_policy oneshot

no more errors and performance is now *much* better.

wolfger (wolfger)
Changed in libnss-ldap:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.