Mailing List Archive

conserver exit on failed NSS lookup
Hi,

I'm running conserver on a host that uses LDAP for the user database,
and sometimes we have problems with that. However, shouldn't conserver
simply survive and return an error if the NSS lookup failed? Why exit?

[Mon Jun 22 16:20:42 2009] conserver (3005): [pcitfiot05] exit(1)
conserver: ldap-nss.c:1319: do_init: Assertion `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' failed.

cheers,

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: conserver exit on failed NSS lookup [ In reply to ]
Those two lines should be independent of themselves. In other words,
the first (pcitfiot05) logs an exitsbecause the command to bring up that
console exited (with a value of 1). The second line must be a PAM-based
LDAP error string...and if it takes down all of conserver, I'd like to
know. I don't have anything in the code to actually exit, so I'm
guessing it's the PAM library doing that. Unless you're just assuming
conserver is exiting because of the first line...which would be a bad
assumption.

Anyway, maybe that helps clear things up...but if conserver is really
exiting, I hope there's some way to tell the PAM bits to not do that.
Running in debug mode (-D) might help see things too. Do you get any
"CheckPass():" entries in the log file? PAM issues should be logged
with that string (unless, of course, it's triggering an exit and not
allowing conserver to deal with the issues).

Bryan

On Mon, Jun 22, 2009 at 04:39:29PM +0200, Andras.Horvath@cern.ch wrote:
> Hi,
>
> I'm running conserver on a host that uses LDAP for the user database,
> and sometimes we have problems with that. However, shouldn't conserver
> simply survive and return an error if the NSS lookup failed? Why exit?
>
> [Mon Jun 22 16:20:42 2009] conserver (3005): [pcitfiot05] exit(1)
> conserver: ldap-nss.c:1319: do_init: Assertion `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' failed.
>
> cheers,
>
> Andras
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: conserver exit on failed NSS lookup [ In reply to ]
On Tue, Jun 23, 2009 at 12:11:18AM +0200, Bryan Stansell wrote:
> Those two lines should be independent of themselves. In other words,
> the first (pcitfiot05) logs an exitsbecause the command to bring up that
> console exited (with a value of 1). The second line must be a PAM-based
> LDAP error string...and if it takes down all of conserver, I'd like to
> know. I don't have anything in the code to actually exit, so I'm
> guessing it's the PAM library doing that. Unless you're just assuming
> conserver is exiting because of the first line...which would be a bad
> assumption.

OK, thanks for the clarification (I did make the wrong assumption here.)

This is conserver running OK on my box:

[root@lxc1rg27 ~]# ps axuw | grep conserv
uucp 11263 0.0 1.4 74672 14780 ? Ss Jun22 0:00 /usr/sbin/conserver -d -L /var/log/console/__server.log
uucp 11264 0.0 0.1 50396 1532 ? S Jun22 0:00 /usr/sbin/conserver -d -L /var/log/console/__server.log
uucp 11266 0.0 1.4 74636 14584 ? S Jun22 0:00 /usr/sbin/conserver -d -L /var/log/console/__server.log
uucp 11267 0.0 0.1 50392 1544 ? S Jun22 0:00 /usr/sbin/conserver -d -L /var/log/console/__server.log
root 14664 0.0 0.0 61148 704 pts/0 R+ 10:48 0:00 grep conserv
[root@lxc1rg27 ~]#

After the crash/exit/whatever, there were still three threads hanging
around but the network port was closed. I'll try to reproduce the issue
with -D.

> Running in debug mode (-D) might help see things too. Do you get any
> "CheckPass():" entries in the log file? PAM issues should be logged

not without -D, and it's not easy to force this issue but I'll try to
get it back again.

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: conserver exit on failed NSS lookup [ In reply to ]
On Tue, Jun 23, 2009 at 12:11:18AM +0200, Bryan Stansell wrote:

> Anyway, maybe that helps clear things up...but if conserver is really
> exiting, I hope there's some way to tell the PAM bits to not do that.
> Running in debug mode (-D) might help see things too. Do you get any
> "CheckPass():" entries in the log file? PAM issues should be logged

Okay, I got it reproduced. It looks like one thread/process dies;
the assert() error message actually comes from nss_ldap, and assert()
calls abort() which seems to always exit no matter what. Thus, there's
precious little conserver can do, other than restarting the process in
question somehow (or kill the rest of them with it).

FTR, client side:

raas@pcitadc01:~$ console -l ahorvath -M lxc1rg27 -p 7782 lxb7726
Enter ahorvath@lxc1rg27.cern.ch's password:
lxc1rg27: invalid password
Enter ahorvath@lxc1rg27.cern.ch's password:
console: FileRead(): SSL error on fd 4
console: lost connection
raas@pcitadc01:~$ console -l ahorvath -M lxc1rg27 -p 7782 lxb7726
console: connect(): 7782@lxc1rg27: Connection refused
raas@pcitadc01:~$

also on the server, logging in locally, connection is refused even
though some threads are still running:

[root@lxc1rg27 ~]# console -x
console: connect(): 7782@localhost: Connection refused
[root@lxc1rg27 ~]# ps axuw | grep cons
uucp 2952 0.0 0.1 50188 1540 ? S Jun23 0:06 /usr/sbin/conserver -d -D -D -L /var/log/console/__server.log
uucp 2981 0.0 0.1 50188 1540 ? S Jun23 0:00 /usr/sbin/conserver -d -D -D -L /var/log/console/__server.log
uucp 3002 0.0 0.1 50188 1560 ? S Jun23 0:00 /usr/sbin/conserver -d -D -D -L /var/log/console/__server.log
root 9856 0.0 0.0 61148 704 pts/0 R+ 14:57 0:00 grep cons
[root@lxc1rg27 ~]#

Server side logs, running with -D, featuring the PAM error message as well
(changed password in the log below - but I had to supply the real password for
the failure to happen)

[Wed Jul 1 14:55:23 2009] conserver (2906): DEBUG: [cutil.c:1206] FileWrite(): sending `passwd? lxc1rg27.cern.ch^M^J' to fd 4
[Wed Jul 1 14:55:23 2009] conserver (2906): DEBUG: [cutil.c:1368] FileWrite(): wrote 26 bytes to fd 4
[Wed Jul 1 14:55:27 2009] conserver (2906): DEBUG: [cutil.c:1134] FileRead(): read 14 bytes from fd 4
[Wed Jul 1 14:55:27 2009] conserver (2906): DEBUG: [cutil.c:1147] FileRead(): read `mypasswd^M^J' from fd 4
[Wed Jul 1 14:55:27 2009] conserver (2906): DEBUG: [cutil.c:491] ReadLine(): returning <*any*:*passwd*>
[Wed Jul 1 14:55:27 2009] conserver (2906): DEBUG: [group.c:771] CheckPass(): pam_start(conserver,ahorvath,...)
[Wed Jul 1 14:55:27 2009] conserver (2906): DEBUG: [group.c:776] CheckPass(): pam_authenticate(ahorvath)
conserver: ldap-nss.c:1319: do_init: Assertion `cfg->ldc_uris[__session.ls_current_uri] != ((void *)0)' failed.
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [cutil.c:1134] FileRead(): read 28 bytes from fd 13
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [cutil.c:1147] FileRead(): read `^[PHB:lxb7728.cern.ch:68234^[\' from fd 13
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [group.c:2540] DoConsoleRead(): read 28 bytes from fd 13
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [cutil.c:1206] FileWrite(): sending `^[PHB:lxb7728.cern.ch:68234^[\' to fd 12
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [cutil.c:1368] FileWrite(): wrote 28 bytes to fd 12
[Wed Jul 1 14:55:28 2009] conserver (2981): DEBUG: [group.c:4482] Kiddie(): select timeout of 33 seconds
[Wed Jul 1 14:55:29 2009] conserver (2981): DEBUG: [cutil.c:1134] FileRead(): read 28 bytes from fd 7
[Wed Jul 1 14:55:29 2009] conserver (2981): DEBUG: [cutil.c:1147] FileRead(): read `^[PHB:lxb7731.cern.ch:60776^[\' from fd 7
[Wed Jul 1 14:55:29 2009] conserver (2981): DEBUG: [group.c:2540] DoConsoleRead(): read 28 bytes from fd 7
[Wed Jul 1 14:55:29 2009] conserver (2981): DEBUG: [cutil.c:1206] FileWrite(): sending `^[PHB:lxb7731.cern.ch:60776^[\' to fd 6
[Wed Jul 1 14:55:29 2009] conserver (2981): DEBUG: [cutil.c:1368] FileWrite(): wrote 28 bytes to fd 6

Andras
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users