Ubuntu
nss-pam-ldapd package

chsh.ldap crashes when I change my password

Bug #1781035 reported by Kabanov Dmitry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss-pam-ldapd (Ubuntu)
New
Undecided
Unassigned

Bug Description

I try to change my shell on a university-provided computer.
Basic `chsh` does not work.

Google told me that I need to install nslcd-utils package and use `chsh.ldap` command.

However, when I do `chsh.ldap -s /usr/bin/zsh` to switch from bash to zsh, I get the following error:

Traceback (most recent call last):
  File "/usr/bin/chsh.ldap", line 69, in <module>
    constants.NSLCD_USERMOD_SHELL: shell,
  File "/usr/share/nslcd-utils/nslcd.py", line 128, in usermod
    assert con.get_response() == constants.NSLCD_RESULT_BEGIN
  File "/usr/share/nslcd-utils/nslcd.py", line 103, in get_response
    return self.read_int32()
  File "/usr/share/nslcd-utils/nslcd.py", line 71, in read_int32
    return _int32.unpack(self.read(_int32.size))[0]
struct.error: unpack requires a string argument of length 4

Funny side note: In the field above "In what package did you find this bug?" I write `nslcd-utils` (this is what I installed to get chsh.ldap command) but I get an error that such package does not exist, although it DOES exist, at least in Ubuntu 16.04:

$ apt search nslcd-util
Sorting... Done
Full Text Search... Done
nslcd-utils/xenial,xenial,now 0.9.6-3 all [installed]
  utilities for querying LDAP via nslcd

Revision history for this message
Arthur de Jong (adejong) wrote :

Can you post the output from nslcd in debug mode? The easiest way to do this is run in a separate window:

% sudo -s
# service nslcd stop
# nslcd -d

It is important to run sudo -s first because if you stop the nslcd service the LDAP users will not be able to authenticate until you start nslcd again. You can terminate the above with <Control>+<C> and run service nslcd start.

Revision history for this message
Kabanov Dmitry (kabanovdmitry) wrote :
Download full text (4.4 KiB)

Here it is. I anonymize it a bit by replacing domain and server names.

admin@machine:~$ sudo -s
[sudo] password for admin:
root@machine:~# service nslcd stop
root@machine:~# nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.6
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/ca-certificates.crt")
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 132
nslcd: DEBUG: CFG: uri ldap://wsldc1sr01.kaust.edu.sa/
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: base DC=XXXXX,DC=XXX,DC=XX
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert demand
nslcd: DEBUG: CFG: tls_cacertfile /etc/ssl/certs/ca-certificates.crt
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.6 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",132) done
nslcd: DEBUG: setgid(132) done
nslcd: DEBUG: setuid(126) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=9501 uid=124296 gid=1124296
nslcd: [8b4567] <usermod="kabanod"> DEBUG: nslcd_usermod("kabanod",asuser,"***")
nslcd: [8b4567] <usermod="kabanod"> DEBUG: nslcd_usermod(shell="/usr/bin/zsh")
nslcd: [8b4567] <usermod="kabanod"> DEBUG: myldap_search(base="DC=XXXXX,DC=XXX,DC=XX", filter="(&(objectClass=po...

Read more...

Revision history for this message
Arthur de Jong (adejong) wrote :

The problem from the logs is the the lookup of the user failed in nslcd. This probably means that authentication between nslcd and the LDAP server needs to be configured in nslcd.conf. I expect that getent.ldap also fails with this configuration/

If you are not using libnss-ldapd for LDAP user account management using nslcd-utils may not be the best solution.

Revision history for this message
Yuan-Hao Chen (yhchen0906) wrote :

I encountered the same problem and found a solution
The bug fix is here, please apply & merge the patches.
Thanks a lot!

https://github.com/arthurdejong/nss-pam-ldapd/pull/31/commits/94eaa1823c8995c1334520a0e297f4f73a963dc4

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.