Bug#643948: nslcd: daemon hang during machine boot process

Arthur de Jong adejong at debian.org
Thu May 23 18:34:47 UTC 2013

Today, for the first time I ran into this problem on my own system. From
the logs:

May 23 19:26:06 sorbet nslcd[2916]: accepting connections
May 23 19:26:06 sorbet nslcd[2916]: Libgcrypt notice: state transition Power-On => Fatal-Error
May 23 19:26:06 sorbet nslcd[2916]: Libgcrypt error: fatal error in file visibility.c, line 1283, function gcry_create_nonce: called in non-operational state
May 23 19:26:06 sorbet nslcd[2916]: Libgcrypt terminated the application

This is before handling any connections which would involve crypto. The
only thing that is done after logging the "accepting connections"
message is start some threads and install signal handlers and change the
signal mask. The threads at this point probably did a few calls to
malloc() and one call to select().

The code can be found here (line 807 logs the first message):


Before the first log line the following calls are done which could be
relevant (in this order):

ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, 0)
daemon(0, 0)

Is there something that nslcd should be doing differently?

On Tue, 2011-10-04 at 15:11 +0200, Werner Koch wrote:
> On Sun,  2 Oct 2011 17:24, adejong at debian.org said:
> > Btw, it seems to be pretty bad for a library to abort the whole
> > application when it's state is inconsistent.
> This is a FIPS requirement.  You are running your system in FIPS mode -
> see the manual.

How can I put my system in sane mode ;) (which manual)?


-- arthur - adejong at debian.org - http://people.debian.org/~adejong --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130523/709d3b2e/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list