nslcd does not start on boot everytime
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | nss-pam-ldapd (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
I've been testing nslcd on ubuntu 12.04 and I feel that 0.8.10 needs to be released for 12.04. I also get lots of messages that seem to be fixed in releases after 0.8.4.
Even the developer says: 'Users that require a stable release are encouraged to stay with 0.7 until 0.8 stabilises.'
http://
My main issue right now:
I've seen it not start on boot 50% of the time with different messages in syslog. If the daemon fails to start on boot and I start it from the init script, it works just fine with out any (related) errors or messages in syslog. Also if I put the daemon in debug mode on boot via the init script, I don't see this issue. But also at the same time the init script will still be executing because the daemon does not drop into the background.
This is an example if it failing to start on boot, here it fails to log any errors:
Jul 26 11:53:33 voodoo nslcd[1799]: version 0.8.4 starting
Jul 26 11:53:33 voodoo nslcd[1799]: accepting connections
This is an example if it failing to start on boot that points at Libgcrypt killing off the application:
Jul 26 14:45:10 voodoo nslcd[1245]: version 0.8.4 starting
Jul 26 14:45:10 voodoo nslcd[1245]: accepting connections
Jul 26 14:45:11 voodoo nslcd[1245]: Libgcrypt warning: missing initialization - please fix the application
Jul 26 14:45:11 voodoo nslcd[1245]: Libgcrypt notice: state transition Power-On => Fatal-Error
Jul 26 14:45:11 voodoo nslcd[1245]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state
Jul 26 14:45:11 voodoo nslcd[1245]: Libgcrypt terminated the application
Oddly here is an example if the daemon starting on boot:
Jul 26 08:59:08 voodoo nslcd[1165]: version 0.8.4 starting
Jul 26 08:59:08 voodoo nslcd[1165]: accepting connections
Jul 26 08:59:10 voodoo nslcd[1165]: [3c9869] <passwd=""> "": name denied by validnames option
My nslcd.conf:
uid nslcd
gid nslcd
uri ldaps://10.x.x.110
uri ldaps://10.x.x.111
base dc=users,
base group dc=groups,
binddn cn=someuser,
bindpw somepass
filter passwd (&(objectClass=
ssl on
tls_reqcert never
map passwd homeDirectory "/home/$uid"
map passwd loginShell "/bin/bash"
Thanks for your work and any help.
-Mike
| Arthur de Jong (adejong) wrote : | #1 |
| Mike Holisky (mholisky) wrote : | #2 |
I'm sorry Arthur, I somehow missed that other bug report. I'm going to try and use the backport of 0.7.2 and see where that gets me. Thanks for your time and really quick response!
-Mike
| Launchpad Janitor (janitor) wrote : | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in nss-pam-ldapd (Ubuntu): | |
| status: | New → Confirmed |
| Khaled Blah (khaled-blah) wrote : | #4 |
I am posting this to confirm that this bug still exists in 14.04:
Apr 28 10:12:41 hostname nslcd[1020]: version 0.8.13 starting
Apr 28 10:12:46 hostname nslcd[1020]: accepting connections
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt warning: missing initialization - please fix the application
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt warning: missing initialization - please fix the application
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt notice: state transition Power-On => Fatal-Error
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt terminated the application
Apr 28 10:12:46 hostname nslcd[1020]: Libgcrypt error: invalid state transition Fatal-Error => Fatal-Error
| Khaled Blah (khaled-blah) wrote : | #5 |
Also, after reboot my machine (a KVM guest) several times I have to say it seems to be happening every time. I can start nslcd manually though.
| linuxrrze (marcel-ritter) wrote : | #6 |
Same here on all our Ubuntu 14.04 machines:
On boot nslcd stops working with this message:
nslcd[1431]: version 0.8.13 starting
nslcd[1431]: accepting connections
nslcd[1431]: Libgcrypt warning: missing initialization - please fix the application
nslcd[1431]: Libgcrypt notice: state transition Power-On => Fatal-Error
nslcd[1431]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state
nslcd[1431]: Libgcrypt terminated the application
Moving /etc/rc2.d/S20nslcd to something like /etc/rc2.d/S99nslcd increased the chance to start nslcd automatically (however, we're starting apache and some other things in between, so in other configurations this may not work).
As all our new machines will be installed with Ubuntu 14.04 and authenticate against ldap servers (using TLS/SSL) this is a major problem for us.
Hope we'll get a fix for this problem soon.
Let me know if we can help to track down the problem!
| linuxrrze (marcel-ritter) wrote : | #7 |
I also tried to change the package name concerned:
I think it should be
"nslcd"
not
"nss-pam-ldapd"
Maybe that's why it didn't get the necessary attention for 2 years?
| Arthur de Jong (adejong) wrote : | #8 |
If you can reliably reproduce this, please try to supply debugging information as described in
https:/
(specifically the gdb invocation of ldapsearch).
It this can be shown to be a problem in libldap or something else it can be chased in the appropriate package.
Any help tracking this down is very welcome.
| linuxrrze-ag (andrei-g) wrote : | #9 |
We could reproduce this issues and after 13 reboot attempts on a VM the nslcd wasn't running but the LDAP-Search succeded.
The relevant parts of the syslog and nslcd.ldapsearc
If you need more information on this let us know.
| Michael Korn (w-michael) wrote : | #10 |
I can confirm that this problem exists since Ubuntu 12.04.
With Ubuntu 14.04 I observe this issue much more often. In fact during 3 of 4 reboots nslcd does not start correctly.
| Michael Korn (w-michael) wrote : | #11 |
I wanted to provide further information with ldapsearch (see https:/
Only ldap (without ssl) works.
The Server is configured to allow both and both ports response (389 and 636). Our Ubuntu Clients are configured to use use ssl (in ldap/ldap.conf and nslcd.conf).
Is there a connection to this issue?
| Michael Korn (w-michael) wrote : | #12 |
I found the solution:
About two years ago we got new workstations. The major part of the configuration was copied from the old workstations.
/etc/ldap/ldap.conf was copied, too.
The files specified by TLS_CERT and TLS_KEY were copied to the new workstations, but the file for TLS_CACERT was forgotten.
After copying the last file ldapsearch is working. And the login problems are gone!
There should be a warning about a missing file.
| Michael Korn (w-michael) wrote : | #13 |
I need to correct myself. This issue was gone for awhile. Then I had problems again on and off.
I can observe this issue regularly, now.
Maybe I will install a script as workaround, that calls "service nscd restart" one minute after booting. Any better suggestions?
The libgcrypt problem is a known one without a known solution so far. Some background information is here:
http://
https:/
It seems to be a bug in either libgcrypt or OpenLDAP (I don't have time to dig into this at the moment though).