[Beowulf] cluster authentication part II

[Prentice Bisbal]

On 01/15/2018 06:35 PM, Jörg Saßmannshausen wrote:
> Dear all,
>
> reading the Cluster Authentication (LDAP,AD) thread which was posted at the
> end of last year reminds me of a problem we are having.
>
> For our Ubuntu 14 virtual machines we are authenticating against AD and I am
> using the nslcd daemon to do that.
> This is working very well in a shell, i.e. when I am doing this in a shell:
>
> $ su -l USER
>
> It is fast, it is creating the home directory if I need it (or not if I want
> to mount the file space elsewhere and use a local home) and the standard lookup
> tools like
>
> $ getent password USER
>
> are fast as well.
>
> However, and here is where I am stuck: when I want to log in to the machine
> using the GUI, this takes forever. We measures it and it takes up to 90 sec.
> until it finally works. I also noticed that it is not reading the
> /etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf.

I don't know about Ubuntu, but for RHEL-based systems, the following 
holds true:

/etc/ldap.conf is used by the pam_ldap module

/etc/ldap/ldap.conf is used by the ldap "client" utilities: ldapsearch, 
ldapadd, ldapdelete, ldapmodify, etc.

As someone else said, it sounds like something is misconfigured, and is 
trying to contact a dead DNS or LDAP server before failing over to a 
working one.

The best way to debug something like this is to use ldapsearch and see 
if you can do a query. You should get some kind of result almost 
immediately. If you do not, specify the ldap server(s) you should be 
using on the command-line with the -h switch:

ldapsearch -h host_a uid=username
ldapsearch -h host_b uid=username

If that doesn't work, try using the IP addresses of your LDAP servers 
instead of the hostnames. If that works, it's a hostname lookup issue. 
If that still doesn't work, you've got bigger issues.

Note that the -h switch is deprecated in favor of using the -H, which 
uses a URL syntax:

ldapsearch -H ldap://host_a:389/

Check the man page or google for specific syntax examples.

If the ldapsearch queries work fine, try using the getent command to see 
if it can find account information that exists in ldap. For example for 
user 'bob':

getent passwd bob

should return something like this very quickly

bob:*:1001:1001:Bob Lastname:/home/bob:/bin/bash

I suspect that will work,  since you can login from the command-line, 
but I always like to test that when debugging account/authorization 
issues like this. As before, if there's a delay, that's not good.

If all of the above works, you need to check your PAM stack. In this 
case, the best way to see what's going wrong is to look at 
/var/log/secure (on RHEL systems, on Ubuntu, it may have a different 
name or path.). Usually, any PAM issues are logged there with helpful 
error messages.  PAM is a bit more complicated than simple LDAP queries, 
so if you're still struggling with this, please pos any error messages 
from your logs.

Prentice



> The
> content of the ldap.conf file is identical with the nslcd.conf file. I am using
> TLS and not SSL for the secure connection .
> Furthermore, and here I am not sure whether it is the same problem or a
> different one, if I want to ssh into the Ubuntu VM, this also take a very long
> time (90 sec) until I can do that.
> Strangely enough, our HPC cluster is using nslcd as well (I used that
> nslcd.conf file as a template for the Ubuntu setup), authenticating against the
> same AD and that works instantaneous.
>
> Does anybody has some ideas of where to look at? It somehow puzzles me.
> I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
> running CentOS and my Debian chroot environment ist Stretch.
>
> All the best from London
>
> Jörg
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf