Samba and ldap troubles.

Scott J. Henson scotth at csee.wvu.edu
Fri Sep 2 12:45:01 CDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Farris wrote:
> Hello gang,
> As the development team I thought maybe someone here would have some
> insight into an issue with Ubuntu.  We have configured Samba with
> Openldap on a couple of machines with different hardware.  Have used
> both Hoary and breezy and experience login locks quite frequently.  We
> were hoping to use Ubuntu as a server but it really does seem extremely
> unstable.  I have had a Fedora Core 2 machine running the same for over
> a year.
> 
> It seems Openldap may be the problem to the point of having to reboot
> the system.  I'm wondering if the choice of using bdb as the database
> was a wise one.  Fedora used ldbm and we've never had a problem.  It is
> a serious issue in that logins lock up completely and one has to reboot
> the machine unless they leave root logged in to a terminal somewhere.
> If I can restart openldap things return to normal.
> 
> The systems can still be pinged so they are alive but essentially
> useless.  There is a local user on the machine and one would expect
> nsswitch to kick in and allow the local user in but the login process
> never reaches a password prompt.
> 
> I'll try and give a more detailed bug report if I find something
> concrete but at this point all I know is it locks up.
> 
> Comments?
> 
Yes, this sounds like libnss-ldap being crappy.  It happens whenever
libnss cannot contact the ldap server.  I would suggest not using
libnss-ldap on your ldap servers.  It would seem to me that there may be
a race in there somewhere or a dead lock.  Remove libnss-ldap from the
ldap servers and I think your problems should be resolved.

This should have nothing to do with the backend of choice.  Its all
about slapd using some libc function that somehow accesses nss, which
then must poll ldap, but the ldap server is waiting on its original
request to be fulfilled, which causes the lock.  I'm not positive that
this is what is happening, but it seems logical.  Possibly you could use
nscd to reduce the frequency of the locks, but I would think it would
just delay the inevitable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDGI+dr2exNrjonJARAucBAJ9njxyE1qZbI7Z65lSw2F2FjaYnWACfVj+a
4TpRuhVcC98inJ+jxzWgeU8=
=iVg+
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list