Sponsors
Sponsor Products
nslcd strangeness.
posted by Greg Whynott  on March 15, 2018, 4:45 p.m. (6 months, 6 days ago)
0 Responses     0 Plus One's     0 Comments  

Eventually I'll roll everything over to sssd but for now we are using good old nslcd. While this isn't causing any production issues I thought I'd bring it up to see if anyone happens to know why the below behavior is what it is.

Everytime someone logs into a system or does something where a lookup is going to happen, we would see a lot of lines in the logs similar to:

CN=Exchange All Hosted Organizations,OU=Microsoft Exchange Security Groups,DC=toonboxent,DC=com: gidNumber: missingCN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=toonboxent,DC=com: gidNumber: missingCN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=toonboxent,DC=com: gidNumber: missing

While I was fixing the AD and testing my changes I noticed that if I log in, nslcd would do the look up on the current logged in user in stead. Sounds confusing, I'll try to explain. (this behavior existed pre and post my AD changes, it isn't the result of any changes I made today)

on a machine with t.tiger logged in and working away, if I SSH to that machine as myself (ssh g.whynott@df001) instead of me seeing:


Mar 15 16:24:35 df001 nslcd[1310]: [6f4b97] <group/member="g.whynott"> CN=Schema Admins,CN=Users,DC=toonboxent,DC=com: gidNumber: missingMar 15 16:24:35 df001 nslcd[1310]: [6f4b97] <group/member="g.whynott"> CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=toonboxent,DC=com: gidNumber: missing

what I instead see is:
Mar 15 16:24:35 df001 systemd: Started Session 5819 of user g.whynott.Mar 15 16:24:35 df001 systemd-logind: New session 5819 of user g.whynott.Mar 15 16:24:35 df001 systemd: Starting Session 5819 of user g.whynott.Mar 15 16:24:35 df001 gdm: AccountsService: ActUserManager: user (null) has no username (object path: /org/freedesktop/Accounts/User717751540, uid: 0)Mar 15 16:24:35 df001 nslcd[1310]: [6f4b97] <group/member="t.tiger"> CN=Schema Admins,CN=Users,DC=toonboxent,DC=com: gidNumber: missingMar 15 16:24:35 df001 nslcd[1310]: [6f4b97] <group/member="t.tiger"> CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=toonboxent,DC=com: gidNumber: missing


No matter who is logging after the system is being used by someone, it'll do the look up on the first person logged in instead of the inbound user... nslcd is running as itself:
nslcd 1138 1 0 Mar09 ? 00:00:14 /usr/sbin/nslcd


Now this isn't affecting anything from what we can tell, it's been using the same configuration for about 7 years now over multiple distributions (can't say if the logging behavior is the same though). Users log in, groups are correctly displayed and used, files created with proper ownerships...
Its just more of an ascetic (read ADHD) thing than anything, but I'd like to understand why its doing a lookup on someone other than the UID requesting AAA lookups. Going further, now that our AD groups all have proper gidNubers assigned to them, we won't be seeing these logs anymore, but stilll!!!!! wtf?


-greg








Thread Tags:
  discuss-at-studiosysadmins