Debian Bug report logs - #510678
network-manager: system lockup with LDAP lookup for group

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: root <maschine_sug@web.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 10:48:36 +0100

Package: libnss-ldap
Version: 261-2.1
Severity: critical
Justification: breaks the whole system


The ldap entry on nsswitch.conf for ldap authentication like:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging.

If I remove the ldap entry on nsswitch.conf, the system works normally. For example:

passwd:         compat
group:          compat
shadow:         compat

The chance to work with ldap authentication is just inserting ldap entry after the whole system loaded.


-- System Information:
Debian Release: 5.0
  APT prefers testing
  APT policy: (500, 'testing'), (10, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-ares-em64t (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0] 1.5.24             Debian configuration management sy
ii  libc6                 2.7-16             GNU C Library: Shared libraries
ii  libcomerr2            1.41.3-1           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.11-1           OpenLDAP libraries
ii  libsasl2-2            2.1.22.dfsg1-23    Cyrus SASL - authentication abstra

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   184-4.2    Pluggable Authentication Module fo
ii  nscd                          2.7-16     GNU C Library: Name Service Cache 

libnss-ldap suggests no packages.

-- debconf information:
  libnss-ldap/bindpw: (password omitted)
* libnss-ldap/rootbindpw: (password omitted)
  libnss-ldap/dblogin: false
  libnss-ldap/override: true
* shared/ldapns/base-dn: dc=skpcc,dc=org
* shared/ldapns/ldap-server: ldaps://hera.skpcc.org:636/
  libnss-ldap/confperm: false
* libnss-ldap/rootbinddn: cn=admin,dc=skpcc,dc=org
* shared/ldapns/ldap_version: 3
  libnss-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libnss-ldap/nsswitch:
  libnss-ldap/dbrootlogin: true

Message #8 received at 510678-submitter@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: 510678-submitter@bugs.debian.org

Subject: Wrong package or user-modified file?

Date: Sun, 4 Jan 2009 14:58:35 +0000

[Message part 1 (text/plain, inline)]

I'm confused. /etc/nsswitch.conf is created by base-files - the
base-files postinst merely copies /usr/share/base-files/nsswitch.conf
to /etc/ and the contents of that file on this system match the working
example you've given in the bug report.

libnss-ldap creates /etc/libnss-ldap.conf in the postinst.

Installing libnss-ldap in a clean Sid chroot does not
change /etc/nsswitch.conf.

I don't see how /etc/nsswitch.conf came to contain the values you
quoted in the bug report.

Can you please reply with your /usr/share/base-files/nsswitch.conf
and /etc/libnss-ldap.conf files attached?

Why did you think that an error in /etc/nsswitch.conf was the fault of
libnss-ldap?

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.linux.codehelp.co.uk/
http://e-mail.is-not-s.ms/

[Message part 2 (application/pgp-signature, inline)]

Message #11 received at 510678-submitter@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 510678-submitter@bugs.debian.org

Cc: Neil Williams <codehelp@debian.org>

Subject: Re: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 18:06:33 +0000

[Message part 1 (text/plain, inline)]

Neil Williams wrote:
> I'm confused. /etc/nsswitch.conf is created by base-files - the
> base-files postinst merely copies /usr/share/base-files/nsswitch.conf
> to /etc/ and the contents of that file on this system match the working
> example you've given in the bug report.
> 
> libnss-ldap creates /etc/libnss-ldap.conf in the postinst.
> 
> Installing libnss-ldap in a clean Sid chroot does not
> change /etc/nsswitch.conf.
[...]

I don't think this is the problem.  As I understand the report, the
problem is that LDAP authentication is not working at initial login.  My
guess is that there is no network connection at this point.

Are you using Network Manager to manage the network connection to the
LDAP server?  This probably will not work because Network Manager does
not set up the network connection until after a user has logged in (and
has the right privileges, and runs a Network Manager control applet).

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had thought.
... I realized that a large part of my life from then on was going to be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Daniel Haryo Sugondo <maschine_sug@web.de>

To: 510678@bugs.debian.org, root <maschine_sug@web.de>

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 19:47:05 +0100

Here is the config from /usr/share/base-files/nsswitch.conf. On my Machine run at this moment no ldap authentication.

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


And configured /etc/libnss-ldap.conf for LDAP authentication. My problem is an LDAP authentication, therefore I must change the file /etc/nsswitch.conf as usual for LDAP authentication. On my 1.st post, I just copied the changed section.

Here is libnss-ldap.conf without commented stuffs

base dc=skpcc,dc=org
uri ldaps://hera.skpcc.org:636/
ldap_version 3
rootbinddn cn=admin,dc=skpcc,dc=org
timelimit 5
bind_timelimit 5
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_min_uid 10000
pam_password exop
nss_base_passwd         ou=Users,dc=skpcc,dc=org?one
nss_base_passwd         ou=Computers,dc=skpcc,dc=org?one
nss_base_shadow         ou=Users,dc=skpcc,dc=org?one
nss_base_group          ou=Groups,dc=skpcc,dc=org?one
ssl on
tls_checkpeer yes
tls_cacertfile /etc/ldap/cacerts/ca.cert
tls_cert /etc/ldap/cacerts/client.cert
tls_key /etc/ldap/cacerts/client.key


And yes NetworkManager is installed on Clients.

On Debian Etch, my Debian can booting til ends and the client can log in to the system with LDAP account. The whole configuration is the same between etch and lenny.

I've found the same bug on ubuntu but I couldn't find the link now. The bug exists on 2006 or 2007.

Message #21 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson <cowboy@debian.org>

To: root <maschine_sug@web.de>, 510678@bugs.debian.org

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 4 Jan 2009 11:08:53 -0800 (PST)

On Sun, 4 Jan 2009, root wrote:

> Package: libnss-ldap
> Version: 261-2.1
> Severity: critical
> Justification: breaks the whole system

You very likely are simply misconfigured, but I'll not yet drop
the severity to a more apropriate value.

> The ldap entry on nsswitch.conf for ldap authentication like:
>
> passwd:         compat ldap

Why compat ... if you aren't using NIS/NIS+, that should be 'files ldap'

> group:          compat ldap
> shadow:         compat ldap
>
> cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging.

There should be informatitve messages in /var/log/auth.log, and possibly
/var/log/syslog...  I can't be of much use without seeing some of them.

> If I remove the ldap entry on nsswitch.conf, the system works normally.

1) boot up without LDAP auth
2) add ldap to nsswitch.conf
3) getent passwd <some valid user in ldap>
4) tweak /etc/libnss-ldap.conf until 3 works

Once that all is working, the next cause of hang is based upon
installed package set - and their daemon user entries in /etc/passwd.

You will need to add and tweak the following line in libnss-ldap.conf:
	nss_initgroups_ignoreusers root,openldap,.... 
IE: if gdm hangs, and there is a system userid for the gdm daemon, add
its name to the ignoreusers line.

Why isn't the line already there and correct ?
It would require going through the entire archive and scanning init.d
files for anything that might possibly start before nscd (if installed),
or the local slapd daemon (if installed) and adding those daemon users
to the line...   That is necessary, but not sufficient in that the
sysadmin may change start order :(

I'd actually recommend you do what I have done - install libnss-ldapd
instead.
-- 
Rick Nelson
Intel engineering seem to have misheard Intel marketing strategy. The phrase
was "Divide and conquer" not "Divide and cock up"
(By iialan@www.linux.org.uk, Alan Cox)

Message #26 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Daniel Haryo Sugondo <maschine_sug@web.de>

To: 510678@bugs.debian.org

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 21:20:11 +0100

You very likely are simply misconfigured, but I'll not yet drop
the severity to a more apropriate value.

> The ldap entry on nsswitch.conf for ldap authentication like:
>
> passwd:         compat ldap

Why compat ... if you aren't using NIS/NIS+, that should be 'files ldap'

> group:          compat ldap
> shadow:         compat ldap
>
> cause the whole system hang. The system loaded til gdm, but I just got an X mouse pointer. The system doesn't response any keyboard command, so that I can't kill the Xserver through ctrl+alt+backspace. I can't go to the terminal with ctrl+alt+f1-f6 too. Over SSH there is no connection to the system, because the system is hanging.

>> OK thank you for the Info!

There should be informatitve messages in /var/log/auth.log, and possibly
/var/log/syslog...  I can't be of much use without seeing some of them.

syslog

Jan  4 20:37:59 ares NetworkManager: <info>  wlan0: Device is fully-supported using driver 'iwl3945'.
Jan  4 20:37:59 ares NetworkManager: <info>  wlan0: driver supports SSID scans (scan_capa 0x01).
Jan  4 20:37:59 ares NetworkManager: <info>  nm_device_init(): waiting for device's worker thread to start
Jan  4 20:37:59 ares NetworkManager: <info>  nm_device_init(): device's worker thread started, continuing.
Jan  4 20:37:59 ares NetworkManager: <info>  Now managing wireless (802.11) device 'wlan0'.
Jan  4 20:37:59 ares NetworkManager: <info>  Deactivating device wlan0.
Jan  4 20:37:59 ares NetworkManager: <info>  eth0: Device is fully-supported using driver 'tg3'.
Jan  4 20:37:59 ares NetworkManager: <info>  nm_device_init(): waiting for device's worker thread to start
Jan  4 20:37:59 ares NetworkManager: <info>  nm_device_init(): device's worker thread started, continuing.
Jan  4 20:37:59 ares NetworkManager: <info>  Now managing wired Ethernet (802.3) device 'eth0'.
Jan  4 20:37:59 ares NetworkManager: <info>  Deactivating device eth0.
Jan  4 20:37:59 ares avahi-daemon[3299]: Withdrawing address record for 10.19.8.182 on eth0.
Jan  4 20:37:59 ares avahi-daemon[3299]: Leaving mDNS multicast group on interface eth0.IPv4 with address 10.19.8.182.
Jan  4 20:37:59 ares avahi-daemon[3299]: Interface eth0.IPv4 no longer relevant for mDNS.
Jan  4 20:37:59 ares NetworkManager: <info>  Will activate wired connection 'eth0' because it now has a link.
Jan  4 20:37:59 ares NetworkManager: <info>  SWITCH: no current connection, found better connection 'eth0'.
Jan  4 20:37:59 ares dhcdbd: message_handler: message handler not found under /com/redhat/dhcp/eth0 for sub-path eth0.dbus.get.reason
Jan  4 20:37:59 ares NetworkManager: <info>  Will activate connection 'eth0'.
Jan  4 20:37:59 ares NetworkManager: <info>  Device eth0 activation scheduled...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) started...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) scheduled...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) started...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) scheduled...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 1 of 5 (Device Prepare) complete.
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) starting...
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) successful.
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 3 of 5 (IP Configure Start) scheduled.
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 2 of 5 (Device Configure) complete.
Jan  4 20:37:59 ares NetworkManager: <info>  Activation (eth0) Stage 3 of 5 (IP Configure Start) started...
Jan  4 20:38:00 ares NetworkManager: <info>  Activation (eth0) Beginning DHCP transaction.
Jan  4 20:38:00 ares anacron[3466]: Anacron 2.3 started on 2009-01-04
Jan  4 20:38:01 ares anacron[3466]: Normal exit (0 jobs run)
Jan  4 20:38:01 ares acpid: client connected from 3450[0:0]
Jan  4 20:38:01 ares /usr/sbin/cron[3496]: (CRON) INFO (pidfile fd = 3)
Jan  4 20:38:01 ares /usr/sbin/cron[3497]: (CRON) STARTUP (fork ok)
Jan  4 20:38:01 ares /usr/sbin/cron[3497]: (CRON) INFO (Running @reboot jobs)
Jan  4 20:38:04 ares kernel: [   34.572265] [drm] Initialized drm 1.1.0 20060810
Jan  4 20:38:04 ares kernel: [   34.586845] pci 0000:00:02.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
Jan  4 20:38:04 ares kernel: [   34.586854] pci 0000:00:02.0: setting latency timer to 64
Jan  4 20:38:04 ares kernel: [   34.587121] [drm] Initialized i915 1.6.0 20080730 on minor 0
Jan  4 20:38:04 ares NetworkManager: <info>  Error getting killswitch power: org.freedesktop.DBus.Error.NoReply - Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Jan  4 20:38:04 ares NetworkManager: <info>  Wireless now enabled by radio killswitch
Jan  4 20:38:10 ares NetworkManager: <info>  Old device 'eth0' activating, won't change.
Jan  4 20:38:13 ares shutdown[3608]: shutting down for system halt
Jan  4 20:44:57 ares kernel: imklog 3.18.6, log source = /proc/kmsg started.


auth.log

Jan  4 20:29:28 ares groupadd[28393]: new group: name=nslcd, GID=124
Jan  4 20:29:28 ares useradd[28399]: new user: name=nslcd, UID=115, GID=124, home=/var/run/nslcd/, shell=/bin/false
Jan  4 20:29:28 ares usermod[28404]: change user `nslcd' password
Jan  4 20:29:28 ares chage[28409]: changed password expiry for nslcd
Jan  4 20:29:29 ares chfn[28414]: changed user `nslcd' information
Jan  4 20:32:02 ares gdm[4323]: pam_mount(pam_mount.c:588) received order to close things
Jan  4 20:32:02 ares gdm[4323]: pam_mount(pam_mount.c:590) No volumes to umount
Jan  4 20:32:02 ares gdm[4323]: pam_mount(pam_mount.c:634) pam_mount execution complete
Jan  4 20:32:02 ares gdm[4323]: pam_unix(gdm:session): unrecognized option [use_authok]
Jan  4 20:32:02 ares gdm[4323]: pam_unix(gdm:session): session closed for user daniel
Jan  4 20:32:02 ares gdm[4323]: pam_mount(pam_mount.c:109) Clean global config (0)
Jan  4 20:32:02 ares gdm[4323]: pam_mount(pam_mount.c:126) clean system authtok=0x101b4b0 (0)
Jan  4 20:32:02 ares gnome-keyring-daemon[4574]: failed to shutdown HAL context: (null)
Jan  4 20:32:04 ares su[4818]: pam_mount(pam_mount.c:588) received order to close things
Jan  4 20:32:04 ares su[4818]: pam_mount(pam_mount.c:590) No volumes to umount
Jan  4 20:32:04 ares su[4818]: pam_mount(pam_mount.c:634) pam_mount execution complete
Jan  4 20:32:04 ares su[4818]: pam_unix(su:session): unrecognized option [use_authok]
Jan  4 20:32:04 ares su[4818]: pam_unix(su:session): session closed for user root
Jan  4 20:32:04 ares su[4818]: pam_mount(pam_mount.c:109) Clean global config (0)
Jan  4 20:32:04 ares su[4818]: pam_mount(pam_mount.c:126) clean system authtok=0x1423400 (0)
Jan  4 20:32:56 ares sshd[2854]: Server listening on 0.0.0.0 port 22.
Jan  4 20:37:49 ares sshd[2794]: Server listening on 0.0.0.0 port 22.
Jan  4 20:37:52 ares sshd[2794]: Received SIGHUP; restarting.
Jan  4 20:37:52 ares sshd[3268]: Server listening on 0.0.0.0 port 22.
Jan  4 20:44:58 ares sshd[2860]: Server listening on 0.0.0.0 port 22.

>> If I remove the ldap entry on nsswitch.conf, the system works normally.

1) boot up without LDAP auth
2) add ldap to nsswitch.conf
3) getent passwd <some valid user in ldap>
4) tweak /etc/libnss-ldap.conf until 3 works

Once that all is working, the next cause of hang is based upon
installed package set - and their daemon user entries in /etc/passwd.

>> As I written on my 1st post. I can log on with my LDAP Account if I change the nsswitch.conf after booting. So this all works.

You will need to add and tweak the following line in libnss-ldap.conf:
	nss_initgroups_ignoreusers root,openldap,.... 
IE: if gdm hangs, and there is a system userid for the gdm daemon, add
its name to the ignoreusers line.

>> I've already insert it, but my system still hang after reboot. ??? <-- Confused.
>> # Just assume that there are no supplemental groups for these named users
>> nss_initgroups_ignoreusers      root,avahi,haldaemon,gdm

Why isn't the line already there and correct ?
It would require going through the entire archive and scanning init.d
files for anything that might possibly start before nscd (if installed),
or the local slapd daemon (if installed) and adding those daemon users
to the line...   That is necessary, but not sufficient in that the
sysadmin may change start order :(

I'd actually recommend you do what I have done - install libnss-ldapd
instead.

>> already installed, you can see it on auth.log.

Message #31 received at 510678@bugs.debian.org (full text, mbox, reply):

From: maschine_sug@web.de

To: 510678@bugs.debian.org

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 21:57:26 +0100

If I remove the Network Manager, then the system doesn't hang. I think the bug isn't on libnss-ldap or nsswitch, but on Network Manager on Lenny.

I'm sorry Rick.

P.S.: How can I hidden my mail addresse?

Message #36 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Richard A Nelson <cowboy@debian.org>

To: Daniel Haryo Sugondo <maschine_sug@web.de>, 510678@bugs.debian.org

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 4 Jan 2009 13:09:04 -0800 (PST)

On Sun, 4 Jan 2009, Daniel Haryo Sugondo wrote:

> There should be informatitve messages in /var/log/auth.log, and possibly
> /var/log/syslog...  I can't be of much use without seeing some of them.
>
> syslog
[snip]
>
> auth.log
[snip]

uhm, neither of the log snips appear to be related to your hangs :(

> As I written on my 1st post. I can log on with my LDAP Account if I change the nsswitch.conf after booting. So this all works.
not necessarily (is pam-ldap also installed and in use ?)

does `getent passwd` show all system and ldap users ?

> I've already insert it, but my system still hang after reboot. ??? <-- Confused.
> # Just assume that there are no supplemental groups for these named users
> nss_initgroups_ignoreusers      root,avahi,haldaemon,gdm

Looks like a good start, but since your auth.log/syslog fragments
weren't from a hang - there's no way to see what is going on

>> Why isn't the line already there and correct ?
>> It would require going through the entire archive and scanning init.d
>> files for anything that might possibly start before nscd (if installed),
>> or the local slapd daemon (if installed) and adding those daemon users
>> to the line...   That is necessary, but not sufficient in that the
>> sysadmin may change start order :(

You may need to do part of this, or simply add all system users to the
line

>> I'd actually recommend you do what I have done - install libnss-ldapd
>> instead.
>
> already installed, you can see it on auth.log.

So you're up and running now ?

-- 
Rick Nelson
<Endy> taniwha: Quote material :)
<taniwha> Endy: :)
<knghtbrd> Endy: I already snipped it

Message #41 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Daniel Haryo Sugondo <maschine_sug@web.de>

To: 510678@bugs.debian.org, Richard A Nelson <cowboy@debian.org>

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sun, 04 Jan 2009 22:39:13 +0100

> 
> > There should be informatitve messages in /var/log/auth.log, and possibly
> > /var/log/syslog...  I can't be of much use without seeing some of them.
> >
> > syslog
> [snip]
> >
> > auth.log
> [snip]
> 
> uhm, neither of the log snips appear to be related to your hangs :(

>> On my last messages I've remove the network manager and see, the system run without any hang. I think, the problem exist on network manager, not libnss-ldap.


> > As I written on my 1st post. I can log on with my LDAP Account if I change the nsswitch.conf after booting. So this all works.
> not necessarily (is pam-ldap also installed and in use ?)
> 
> does `getent passwd` show all system and ldap users ?
> 
> > I've already insert it, but my system still hang after reboot. ??? <-- Confused.
> > # Just assume that there are no supplemental groups for these named users
> > nss_initgroups_ignoreusers      root,avahi,haldaemon,gdm
> 
> Looks like a good start, but since your auth.log/syslog fragments
> weren't from a hang - there's no way to see what is going on

If the system hang, then there is no log. :(

> >> Why isn't the line already there and correct ?
> >> It would require going through the entire archive and scanning init.d
> >> files for anything that might possibly start before nscd (if installed),
> >> or the local slapd daemon (if installed) and adding those daemon users
> >> to the line...   That is necessary, but not sufficient in that the
> >> sysadmin may change start order :(
> 
> You may need to do part of this, or simply add all system users to the
> line

I'll try to add all system users to the line, thank's for your advise.

> >> I'd actually recommend you do what I have done - install libnss-ldapd
> >> instead.
> >
> > already installed, you can see it on auth.log.
> 
> So you're up and running now ?

Yes the system is up and running now, without network manager.

Message #46 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Martin Zobel-Helas <zobel@ftbfs.de>

To: 510678@bugs.debian.org

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Tue, 20 Jan 2009 15:34:08 +0100

[Message part 1 (text/plain, inline)]

severity 510678 normal
thanks

Hi,

the problem is a dead-lock in your setup. This is not a problem of libnss-ldap.
If this is a regression with the version in etch, please open a bug against
release notes.

Greetings
Martin
-- 
 Martin Zobel-Helas <zobel@debian.org>  | Debian System Administrator
 Debian & GNU/Linux Developer           |           Debian Listmaster
 Public key http://zobel.ftbfs.de/5d64f870.asc   -   KeyID: 5D64 F870
 GPG Fingerprint:  5DB3 1301 375A A50F 07E7  302F 493E FB8E 5D64 F870

[signature.asc (application/pgp-signature, inline)]

Message #53 received at 510678@bugs.debian.org (full text, mbox, reply):

From: Luca Capello <luca@pca.it>

To: 510678@bugs.debian.org

Cc: Daniel Haryo Sugondo <maschine_sug@web.de>, Neil Williams <codehelp@debian.org>, Ben Hutchings <ben@decadent.org.uk>, Richard A Nelson <cowboy@debian.org>, Martin Zobel-Helas <zobel@ftbfs.de>

Subject: Re: Bug#510678: libnss-ldap: ldap entry on nsswitch.conf causes gdm hang

Date: Sat, 29 Jan 2011 16:24:27 +0100

[Message part 1 (text/plain, inline)]

forcemerge 500998 510678
thanks

Hi there!

I cc:ed all the people involved with this bug, sorry for the spam.

On Tue, 20 Jan 2009 15:34:08 +0100, Martin Zobel-Helas wrote:
> the problem is a dead-lock in your setup. This is not a problem of libnss-ldap.

On Sun, 04 Jan 2009 20:08:53 +0100, Richard A Nelson wrote:
> You very likely are simply misconfigured, but I'll not yet drop
> the severity to a more apropriate value.

On Sun, 04 Jan 2009 19:06:33 +0100, Ben Hutchings wrote:
> Neil Williams wrote:
>> I'm confused. /etc/nsswitch.conf is created by base-files - the
>> base-files postinst merely copies /usr/share/base-files/nsswitch.conf
>> to /etc/ and the contents of that file on this system match the working
>> example you've given in the bug report.
>> 
>> libnss-ldap creates /etc/libnss-ldap.conf in the postinst.
>> 
>> Installing libnss-ldap in a clean Sid chroot does not
>> change /etc/nsswitch.conf.
> [...]
>
> I don't think this is the problem.  As I understand the report, the
> problem is that LDAP authentication is not working at initial login.  My
> guess is that there is no network connection at this point.
>
> Are you using Network Manager to manage the network connection to the
> LDAP server?  This probably will not work because Network Manager does
> not set up the network connection until after a user has logged in (and
> has the right privileges, and runs a Network Manager control applet).

Bingo, same symptoms as #510678, merged.

Thx, bye,
Gismo / Luca

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.