passwd ldap request to ActiveDirectory fails on half of 2500 users
Posted
by
groovehunter
on Server Fault
See other posts from Server Fault
or by groovehunter
Published on 2011-02-14T12:12:44Z
Indexed on
2011/02/15
7:27 UTC
Read the original article
Hit count: 662
We just setup ActiveDirectory in my company and imported all linux users and groups.
On the linux client: (configured to ask ldap in nsswitch.conf):
If i do a common ldapsearch to the AD ldap server i get the complete number of about 2580 users. But if i do this it only gets a part of all users, 1221 in number:
getent passwd | wc -l
Running it with strace shows kind of attempt to reconnect
My ideas were: Does the linux authentication procedure run ldapsearch with a parameter incompatible to AD ldap ? Or probably it is a encoding issue. The windows user are entered in AD with all kind of characters.
Maybe someone could shed light on this and give a hint how to debug that further!?
Here's our ldap.conf
host audc01.mycompany.de audc03.mycompany.de
base ou=location,dc=mycompany,dc=de
ldap_version 3
binddn cn=manager,ou=location,dc=mycompany,dc=de
bindpw Password
timelimit 120
idle_timelimit 3600
nss_base_passwd cn=users,cn=import,ou=location,dc=mycompany,dc=de?sub
nss_base_group ou=location,dc=mycompany,dc=de?sub
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
# nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute cn sAMAccountName
# Display Name
nss_map_attribute gecos cn
##
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
# PAM attributes
pam_login_attribute sAMAccountName
# Location based login
pam_groupdn CN=Location-AU-Login,OU=au,OU=Location,DC=mycompany,DC=de
pam_member_attribute msSFU30PosixMember
##
pam_lookup_policy yes
pam_filter objectclass=User
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,usbmux,uucp,www-data
and here the stacktrace from
strace getent passwd
poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 120000) = 1 ([{fd=4, revents=POLLIN}])
read(4, "0\204\0\0\0A\2\1", 8) = 8
read(4, "\4e\204\0\0\0\7\n\1\0\4\0\4\0\240\204\0\0\0+0\204\0\0\0%\4\0261.2."..., 63) = 63
stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=1151, ...}) = 0
geteuid32() = 12560
getsockname(4, {sa_family=AF_INET, sin_port=htons(60334), sin_addr=inet_addr("10.1.35.51")}, [16]) = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.1.5.81")}, [16]) = 0
time(NULL) = 1297684722
rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0
munmap(0xb7617000, 1721) = 0
close(3) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
write(4, "0\5\2\1\5B\0", 7) = 7
shutdown(4, 2 /* send and receive */) = 0
close(4) = 0
shutdown(-1, 2 /* send and receive */) = -1 EBADF (Bad file descriptor)
close(-1) = -1 EBADF (Bad file descriptor)
exit_group(0) = ?
© Server Fault or respective owner