Discussion:
[Beowulf] cluster authentication part II
Jörg Saßmannshausen
2018-01-15 23:35:10 UTC
Permalink
Dear all,

reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.

For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
This is working very well in a shell, i.e. when I am doing this in a shell:

$ su -l USER

It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like

$ getent password USER

are fast as well.

However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.

Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.

All the best from London

Jörg

_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/m
John Hearns via Beowulf
2018-01-16 06:02:25 UTC
Permalink
Jorg, I do not have the answer for you. One comment I have is that the GUI
login will use different PAM modules from the command line ssh login.
If you are looking for differences between your CentOS machine and Ubuntu I
would also start by listing the PAM modules.

I speak as someone who has a nagging problem with nslcd - I have two
servers which should be identical, and on one I cannot 'sudo' with my
account.

It is possible to stop the nslcd.service and run nslcd -d in a terminal -
this did not help me, it might help you.

On 16 January 2018 at 00:35, Jörg Saßmannshausen <
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
Tony Brian Albers
2018-01-16 06:03:56 UTC
Permalink
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
Hello Jörg,

This might be caused by latency in hostname lookups. How do the machines
know one another? DNS is generally fine, but to check I'd try to put the
client in the server's (AD server that is) hosts file and put the AD
server and any other machines called during login(maybe for autofs or
something like that) in the client's hosts file. At least that will tell
you whether the thing is DNS related.

Also, when ssh'ing in from another machine, try to put both machines'
fqdn and shortnames in their hosts files.

I know that this might seem odd, since stuff just works when logged in,
but there's a lot of stuff going on during login that depends on
hostname resolution if you have external services (AD authentication etc.)

/tony




--
Tony Albers
Systems administrator, IT-development
Royal Danish Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 2566 2383 / +45 8946 2316
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) vis
Lux, Jim (337K)
2018-01-17 01:20:25 UTC
Permalink
-----Original Message-----
From: Beowulf [mailto:beowulf-***@beowulf.org] On Behalf Of Tony Brian Albers
Sent: Monday, January 15, 2018 10:04 PM
To: ***@beowulf.org
Subject: Re: [Beowulf] cluster authentication part II
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted
at the end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD
and I am using the nslcd daemon to do that.
<snip>
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the
cluster is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
Computing To change your subscription (digest mode or unsubscribe)
visit http://www.beowulf.org/mailman/listinfo/beowulf
Hello Jörg,

This might be caused by latency in hostname lookups. How do the machines know one another? DNS is generally fine, but to check I'd try to put the client in the server's (AD server that is) hosts file and put the AD server and any other machines called during login(maybe for autofs or something like that) in the client's hosts file. At least that will tell you whether the thing is DNS related.

Also, when ssh'ing in from another machine, try to put both machines'
fqdn and shortnames in their hosts files.

I know that this might seem odd, since stuff just works when logged in, but there's a lot of stuff going on during login that depends on hostname resolution if you have external services (AD authentication etc.)

/tony
--
In my "beaglebone cluster", I've found that this kind of thing has a huge effect even with vanilla ssh. By default, the Debian distro supports the zeroconf network name resolution ".local" hostname stuff (bonjour in apple-land), so you can get fooled into thinking that it knows how to resolve names (because it works sometimes), but then it mysteriously takes longer (e.g. some local cache of IP address to hostname is obsolete, but it tries the old IP address for a while). Using my Macbook as the "cluster controller" and running pdsh, sometimes it would work, sometimes it wouldn't. (depending on what I've done before, and what is "remembered" by MacOS )


So putting all those hostnames into hosts files, and appropriate rules in the sshd config files, etc. makes a world of difference. Now, "it just works".

$pdsh -w beagle[1-8] some command

Works just fine

_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.be
Rémy Dernat
2018-01-17 11:08:37 UTC
Permalink
I would switch to sssd. I had many problems with nslcd (connection,
cache...).

Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
Jörg Saßmannshausen
2018-01-17 23:12:27 UTC
Permalink
Dear all,

thanks for all your useful comments.
In the end, and after some debugging, I found the culprit. For one reason or
another I installed libpam-ldap instead of libpam-ldapd. I guess that was a
typo as libpam-ldapd will be pulled automatically when you are installing
nslcd.
Once I corrected that, both su -l USER and ssh ***@localhost (or from a
remote host to the Ubuntu VDI) are working fast again.
Don't ask me what is the difference between the two, I don't know is the short
answer here.

One question: when I was doing some research on the internet, I came across
nslcd and sssd. Which one is 'better'? I know that is a bit of an ambiguous
question to ask but I have not found a page telling me the difference between
the two.

Regarding Ubuntu vs. other distros: that is not my choice. Personally I am in
favour of Debian but that is my personal choice. At the workplace I have to
work with what is their policy. I am not a great fan of having different
distributions floating around at one place as it make the administration a
nightmare (you will be never good at all of them) but we are where we are
here.

Regarding sudo: that is still a problem on one of the servers: it simply does
not accept the password. Once I know more here I can report back to you John.

Sorry for my slow response here. I am not looking at the email list when I am
at work and thus it takes me a day or two to reply.

All the best from a cold London (storm about to come tonight)

Jörg
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I
am using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I
want to mount the file space elsewhere and use a local home) and the
standard lookup tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90
sec. until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am
using TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very
long time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating
against the same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster
is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.be
Jonathan Engwall
2018-01-18 00:36:57 UTC
Permalink
I don't want to bore anybody, this might be interesting. My parts are
almost all in. This is a really great topic.
https://arthurdejong.org/nss-pam-ldapd/setup
And with several informative web page a.

On Jan 17, 2018 3:13 PM, "Jörg Saßmannshausen" <
Post by Jörg Saßmannshausen
Dear all,
thanks for all your useful comments.
In the end, and after some debugging, I found the culprit. For one reason or
another I installed libpam-ldap instead of libpam-ldapd. I guess that was a
typo as libpam-ldapd will be pulled automatically when you are installing
nslcd.
remote host to the Ubuntu VDI) are working fast again.
Don't ask me what is the difference between the two, I don't know is the short
answer here.
One question: when I was doing some research on the internet, I came across
nslcd and sssd. Which one is 'better'? I know that is a bit of an ambiguous
question to ask but I have not found a page telling me the difference between
the two.
Regarding Ubuntu vs. other distros: that is not my choice. Personally I am in
favour of Debian but that is my personal choice. At the workplace I have to
work with what is their policy. I am not a great fan of having different
distributions floating around at one place as it make the administration a
nightmare (you will be never good at all of them) but we are where we are
here.
Regarding sudo: that is still a problem on one of the servers: it simply does
not accept the password. Once I know more here I can report back to you John.
Sorry for my slow response here. I am not looking at the email list when I am
at work and thus it takes me a day or two to reply.
All the best from a cold London (storm about to come tonight)
Jörg
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD
and I
Post by Rémy Dernat
Post by Jörg Saßmannshausen
am using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I
want to mount the file space elsewhere and use a local home) and the
standard lookup tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90
sec. until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf.
The
Post by Rémy Dernat
Post by Jörg Saßmannshausen
content of the ldap.conf file is identical with the nslcd.conf file. I
am
Post by Rémy Dernat
Post by Jörg Saßmannshausen
using TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a
very
Post by Rémy Dernat
Post by Jörg Saßmannshausen
long time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating
against the same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the
cluster
Post by Rémy Dernat
Post by Jörg Saßmannshausen
is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
Computing
Post by Rémy Dernat
Post by Jörg Saßmannshausen
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
Jörg Saßmannshausen
2018-01-18 11:06:45 UTC
Permalink
Hi Jonathan,

thanks for the link. That is basically what I was doing as there are many
tutorials and how-to pages out there. Your page is quite nicely condensed
which makes it easy to read.

All the best

Jörg
Post by Jonathan Engwall
I don't want to bore anybody, this might be interesting. My parts are
almost all in. This is a really great topic.
https://arthurdejong.org/nss-pam-ldapd/setup
And with several informative web page a.
On Jan 17, 2018 3:13 PM, "Jörg Saßmannshausen" <
Post by Jörg Saßmannshausen
Dear all,
thanks for all your useful comments.
In the end, and after some debugging, I found the culprit. For one reason or
another I installed libpam-ldap instead of libpam-ldapd. I guess that was a
typo as libpam-ldapd will be pulled automatically when you are installing
nslcd.
remote host to the Ubuntu VDI) are working fast again.
Don't ask me what is the difference between the two, I don't know is the short
answer here.
One question: when I was doing some research on the internet, I came across
nslcd and sssd. Which one is 'better'? I know that is a bit of an ambiguous
question to ask but I have not found a page telling me the difference between
the two.
Regarding Ubuntu vs. other distros: that is not my choice. Personally I am in
favour of Debian but that is my personal choice. At the workplace I have to
work with what is their policy. I am not a great fan of having different
distributions floating around at one place as it make the administration a
nightmare (you will be never good at all of them) but we are where we are
here.
Regarding sudo: that is still a problem on one of the servers: it simply does
not accept the password. Once I know more here I can report back to you John.
Sorry for my slow response here. I am not looking at the email list when I am
at work and thus it takes me a day or two to reply.
All the best from a cold London (storm about to come tonight)
Jörg
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted
at
the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD
and I
Post by Rémy Dernat
Post by Jörg Saßmannshausen
am using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I
want to mount the file space elsewhere and use a local home) and the
standard lookup tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90
sec. until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf.
The
Post by Rémy Dernat
Post by Jörg Saßmannshausen
content of the ldap.conf file is identical with the nslcd.conf file. I
am
Post by Rémy Dernat
Post by Jörg Saßmannshausen
using TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a
very
Post by Rémy Dernat
Post by Jörg Saßmannshausen
long time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating
against the same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the
cluster
Post by Rémy Dernat
Post by Jörg Saßmannshausen
is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
Computing
Post by Rémy Dernat
Post by Jörg Saßmannshausen
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowul
jaquilina
2018-01-18 07:47:31 UTC
Permalink
Hi Jorg,

Is the user added either to the Wheel group or as a user in the sudoers
file?

Regards
Jonathan
Post by Jörg Saßmannshausen
Dear all,
thanks for all your useful comments.
In the end, and after some debugging, I found the culprit. For one reason or
another I installed libpam-ldap instead of libpam-ldapd. I guess that was a
typo as libpam-ldapd will be pulled automatically when you are
installing
nslcd.
remote host to the Ubuntu VDI) are working fast again.
Don't ask me what is the difference between the two, I don't know is the short
answer here.
One question: when I was doing some research on the internet, I came across
nslcd and sssd. Which one is 'better'? I know that is a bit of an ambiguous
question to ask but I have not found a page telling me the difference between
the two.
Regarding Ubuntu vs. other distros: that is not my choice. Personally I am in
favour of Debian but that is my personal choice. At the workplace I have to
work with what is their policy. I am not a great fan of having
different
distributions floating around at one place as it make the
administration a
nightmare (you will be never good at all of them) but we are where we are
here.
Regarding sudo: that is still a problem on one of the servers: it simply does
not accept the password. Once I know more here I can report back to you John.
Sorry for my slow response here. I am not looking at the email list when I am
at work and thus it takes me a day or two to reply.
All the best from a cold London (storm about to come tonight)
Jörg
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I
am using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I
want to mount the file space elsewhere and use a local home) and the
standard lookup tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90
sec. until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am
using TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very
long time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating
against the same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster
is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinf
Jörg Saßmannshausen
2018-01-18 11:02:06 UTC
Permalink
Hi Jonathan,

it is. I tried both, wheel and in the sudoers file. It is asking for the
password which I supply (it is my account), it is asking for the password
again. The password is correct as I am using it.
The interesting thing is: I only got this problem on the headnode but not on
the compute nodes. Here it is working as expected. I *should* be the same
setup regarding LDAP but obviously it is not. One of my problems is I did not
install the cluster and I have already found a number of bugs on it. As it is
a live system I cannot run nslcd in the debug mode. Having said that, I am
currently installing a sandbox which is a copy of the headnode and I will try
to reproduce it there and here I can run nslcd in the debug mode. Hopefully
that gives me some ideas of what is going on there.

Thanks for your suggestions.

Jörg
Post by jaquilina
Hi Jorg,
Is the user added either to the Wheel group or as a user in the sudoers
file?
Regards
Jonathan
Post by Jörg Saßmannshausen
Dear all,
thanks for all your useful comments.
In the end, and after some debugging, I found the culprit. For one reason or
another I installed libpam-ldap instead of libpam-ldapd. I guess that was a
typo as libpam-ldapd will be pulled automatically when you are installing
nslcd.
remote host to the Ubuntu VDI) are working fast again.
Don't ask me what is the difference between the two, I don't know is the short
answer here.
One question: when I was doing some research on the internet, I came across
nslcd and sssd. Which one is 'better'? I know that is a bit of an ambiguous
question to ask but I have not found a page telling me the difference between
the two.
Regarding Ubuntu vs. other distros: that is not my choice. Personally I am in
favour of Debian but that is my personal choice. At the workplace I have to
work with what is their policy. I am not a great fan of having different
distributions floating around at one place as it make the
administration a
nightmare (you will be never good at all of them) but we are where we are
here.
Regarding sudo: that is still a problem on one of the servers: it simply does
not accept the password. Once I know more here I can report back to you John.
Sorry for my slow response here. I am not looking at the email list when I am
at work and thus it takes me a day or two to reply.
All the best from a cold London (storm about to come tonight)
Jörg
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I
am using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I
want to mount the file space elsewhere and use a local home) and the
standard lookup tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90
sec. until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am
using TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very
long time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating
against the same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster
is running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
Prentice Bisbal
2018-01-23 22:37:26 UTC
Permalink
I second this. sssd is much better than nscd or nslcd.

Prentice
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or
/etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowu
Jonathan Engwall
2018-01-24 01:48:58 UTC
Permalink
Ubuntu has a package called tiger which is very very verbose. I had some
trouble with listeners at strange ports like 13141 or 30303 according to
tiger. At this same time more than a year ago sometimes ssh would report
that keys had changed.
This feels like a ghost story but it is not. This was when I was running a
MUD, so nothing out of the ordinary was going on. But Tiger will tell you
everything.
You should delete the log with a cron job. Tiger is repetitive with with
warnings.
Post by Prentice Bisbal
I second this. sssd is much better than nscd or nslcd.
Prentice
Post by Rémy Dernat
I would switch to sssd. I had many problems with nslcd (connection,
cache...).
Best regards
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf. The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
Prentice Bisbal
2018-01-23 22:29:22 UTC
Permalink
Post by Jörg Saßmannshausen
Dear all,
reading the Cluster Authentication (LDAP,AD) thread which was posted at the
end of last year reminds me of a problem we are having.
For our Ubuntu 14 virtual machines we are authenticating against AD and I am
using the nslcd daemon to do that.
$ su -l USER
It is fast, it is creating the home directory if I need it (or not if I want
to mount the file space elsewhere and use a local home) and the standard lookup
tools like
$ getent password USER
are fast as well.
However, and here is where I am stuck: when I want to log in to the machine
using the GUI, this takes forever. We measures it and it takes up to 90 sec.
until it finally works. I also noticed that it is not reading the
/etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf.
I don't know about Ubuntu, but for RHEL-based systems, the following
holds true:

/etc/ldap.conf is used by the pam_ldap module

/etc/ldap/ldap.conf is used by the ldap "client" utilities: ldapsearch,
ldapadd, ldapdelete, ldapmodify, etc.

As someone else said, it sounds like something is misconfigured, and is
trying to contact a dead DNS or LDAP server before failing over to a
working one.

The best way to debug something like this is to use ldapsearch and see
if you can do a query. You should get some kind of result almost
immediately. If you do not, specify the ldap server(s) you should be
using on the command-line with the -h switch:

ldapsearch -h host_a uid=username
ldapsearch -h host_b uid=username

If that doesn't work, try using the IP addresses of your LDAP servers
instead of the hostnames. If that works, it's a hostname lookup issue.
If that still doesn't work, you've got bigger issues.

Note that the -h switch is deprecated in favor of using the -H, which
uses a URL syntax:

ldapsearch -H ldap://host_a:389/

Check the man page or google for specific syntax examples.

If the ldapsearch queries work fine, try using the getent command to see
if it can find account information that exists in ldap. For example for
user 'bob':

getent passwd bob

should return something like this very quickly

bob:*:1001:1001:Bob Lastname:/home/bob:/bin/bash

I suspect that will work,  since you can login from the command-line,
but I always like to test that when debugging account/authorization
issues like this. As before, if there's a delay, that's not good.

If all of the above works, you need to check your PAM stack. In this
case, the best way to see what's going wrong is to look at
/var/log/secure (on RHEL systems, on Ubuntu, it may have a different
name or path.). Usually, any PAM issues are logged there with helpful
error messages.  PAM is a bit more complicated than simple LDAP queries,
so if you're still struggling with this, please pos any error messages
from your logs.

Prentice
Post by Jörg Saßmannshausen
The
content of the ldap.conf file is identical with the nslcd.conf file. I am using
TLS and not SSL for the secure connection .
Furthermore, and here I am not sure whether it is the same problem or a
different one, if I want to ssh into the Ubuntu VM, this also take a very long
time (90 sec) until I can do that.
Strangely enough, our HPC cluster is using nslcd as well (I used that
nslcd.conf file as a template for the Ubuntu setup), authenticating against the
same AD and that works instantaneous.
Does anybody has some ideas of where to look at? It somehow puzzles me.
I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
running CentOS and my Debian chroot environment ist Stretch.
All the best from London
Jörg
_______________________________________________
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
_______________________________________________
Beowulf mailing list, ***@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/list
Continue reading on narkive:
Loading...