[Beowulf] cluster authentication part II
Prentice Bisbal
pbisbal at pppl.gov
Tue Jan 23 14:29:22 PST 2018
On 01/15/2018 06:35 PM, Jörg Saßmannshausen wrote:
> Dear all,
>
> reading the Cluster Authentication (LDAP,AD) thread which was posted at the
> end of last year reminds me of a problem we are having.
>
> For our Ubuntu 14 virtual machines we are authenticating against AD and I am
> using the nslcd daemon to do that.
> This is working very well in a shell, i.e. when I am doing this in a shell:
>
> $ su -l USER
>
> It is fast, it is creating the home directory if I need it (or not if I want
> to mount the file space elsewhere and use a local home) and the standard lookup
> tools like
>
> $ getent password USER
>
> are fast as well.
>
> However, and here is where I am stuck: when I want to log in to the machine
> using the GUI, this takes forever. We measures it and it takes up to 90 sec.
> until it finally works. I also noticed that it is not reading the
> /etc/nslcd.conf file but either /etc/ldap.conf or /etc/ldap/ldap.conf.
I don't know about Ubuntu, but for RHEL-based systems, the following
holds true:
/etc/ldap.conf is used by the pam_ldap module
/etc/ldap/ldap.conf is used by the ldap "client" utilities: ldapsearch,
ldapadd, ldapdelete, ldapmodify, etc.
As someone else said, it sounds like something is misconfigured, and is
trying to contact a dead DNS or LDAP server before failing over to a
working one.
The best way to debug something like this is to use ldapsearch and see
if you can do a query. You should get some kind of result almost
immediately. If you do not, specify the ldap server(s) you should be
using on the command-line with the -h switch:
ldapsearch -h host_a uid=username
ldapsearch -h host_b uid=username
If that doesn't work, try using the IP addresses of your LDAP servers
instead of the hostnames. If that works, it's a hostname lookup issue.
If that still doesn't work, you've got bigger issues.
Note that the -h switch is deprecated in favor of using the -H, which
uses a URL syntax:
ldapsearch -H ldap://host_a:389/
Check the man page or google for specific syntax examples.
If the ldapsearch queries work fine, try using the getent command to see
if it can find account information that exists in ldap. For example for
user 'bob':
getent passwd bob
should return something like this very quickly
bob:*:1001:1001:Bob Lastname:/home/bob:/bin/bash
I suspect that will work, since you can login from the command-line,
but I always like to test that when debugging account/authorization
issues like this. As before, if there's a delay, that's not good.
If all of the above works, you need to check your PAM stack. In this
case, the best way to see what's going wrong is to look at
/var/log/secure (on RHEL systems, on Ubuntu, it may have a different
name or path.). Usually, any PAM issues are logged there with helpful
error messages. PAM is a bit more complicated than simple LDAP queries,
so if you're still struggling with this, please pos any error messages
from your logs.
Prentice
> The
> content of the ldap.conf file is identical with the nslcd.conf file. I am using
> TLS and not SSL for the secure connection .
> Furthermore, and here I am not sure whether it is the same problem or a
> different one, if I want to ssh into the Ubuntu VM, this also take a very long
> time (90 sec) until I can do that.
> Strangely enough, our HPC cluster is using nslcd as well (I used that
> nslcd.conf file as a template for the Ubuntu setup), authenticating against the
> same AD and that works instantaneous.
>
> Does anybody has some ideas of where to look at? It somehow puzzles me.
> I am a bit inclined to say the problem is within Ubuntu 14 as the cluster is
> running CentOS and my Debian chroot environment ist Stretch.
>
> All the best from London
>
> Jörg
>
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf
mailing list