[Pkg-utopia-maintainers] Bug#614804: network-manager: system lockup with LDAP lookup for passwd+group+shadow+hosts

Luca Capello luca at pca.it
Wed Feb 23 15:09:36 UTC 2011


Package: network-manager
Version: 0.8.1-6
Severity: important
Blocked-by: 606268

Hi there!

First, a bit of history about how I discovered this bug: I spent the
more than one week in tests to track it down, so I do not want to simply
trash this work, sorry.

While investigating bugs #412989 [1] and #500998 [2], I found out that
enabling LDAP lookup for all the primary four entries in
/etc/nsswitch.conf [3] causes a system lookup:

- in 5.0.8/lenny, libnss-ldap/261-2.1, network-manager/0.6.6-3
    kinit: No resume image, doing normal boot...
    INIT: version 2.86 booting
    Starting the hotplug events dispatcher: udevd[no-blinking cursor]

  To exit this situation a hard reboot is needed.

- in 6.0.0/squeeze, libnss-ldap/264-2.2, network-manager/0.8.1-6
    Starting periodic command scheduler: cron.
    CPUFreq Utilities: Setting ondemand CPUFreq gover...disabled,
     governor not available...done.
    Starting MTA:[blinking cursor]

  Ctrl-Alt-Del works as well as single-user mode, which means that debug
  is possible ;-)

[1] <http://bugs.debian.org/412989>
[2] <http://bugs.debian.org/500998>
[3] while I am still an LDAP newbie, this the most advised setup you can
    find on the net, e.g. <http://wiki.debian.org/LDAP/NSS>

Please note that as suggested by /usr/share/doc/udev/README.Debian.gz,
setting '[UNAVAIL=return]' in any ldap service does not help.

On lenny, surprisingly enough, this bug does not happen if the "unknown"
groups have been replaced by nobody/nogroup (because of #412989 [1]).
On squeeze, however, these "unknown" groups are no more unknown [4], but
this bug (or some incarnation of it) is still there.  Squeeze users can
simply install libpam-ldapd and libnss-ldapd, given that even the
squeeze Release Notes [5] suggests that for other reasons [6][7].

[4] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=412989#66>
[5] <http://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#ldap-gnutls>
[6] <http://bugs.debian.org/566351>
[7] <http://bugs.debian.org/545414>

Good, we have two bugs, in some sort related.  Given that I thought this
was a libnss-ldap problem, I looked in the Debian BTS founding two bugs
which could be linked to mine, even if I do not have the same symptoms:

  #143496 [8], libnss-ldap: Segfault when used for host resolution
  #218958 [9], libnss-ldap - host resolution hangs on Linux 2.6.0-test8/test9

[8] <http://bugs.debian.org/143496>
[9] <http://bugs.debian.org/218958>

As I wrote above, the situation on squeeze is a bit better, I have
access to single-user mode so I can debug, starting from dbus...
Unfortunately, it seems quite hard to have a dbus-daemon output (I read
the docs), so I was submitting this bug asking for hints.  OTOH, if
libnss-ldap maintainer would have thought that it is not worth it
(libnss-ldapd is the future), this bug should have simply been left as
it is or even closed.

Trying to debug dbus-daemon in single-user mode, I discovered that there
is no more network.  Because of #530024 [10], my /etc/network/interfaces
(generated by d-i for a wired interface, so #606268 is no more only
related to wireless [11]) is:

--8<---------------cut here---------------start------------->8---
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
#NetworkManager#iface eth0 inet dhcp
--8<---------------cut here---------------end--------------->8---

[10] <http://bugs.debian.org/530024>
[11] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606268#122>

This is a serious bug (feel free to clone it), since according to the
Debian Reference [11][12]:

  3.5.7. Network interface initialization

  Network interfaces are initialized in runlevel S by the init script
  symlinked to "/etc/init.d/ifupdown-clean" and "/etc/init.d/ifupdown".
  See Chapter 5, Network setup for how to configure them.

[11] <http://www.debian.org/doc/manuals/debian-reference/ch03.en.html#_network_interface_initialization>
[12] I am sorry, but I was not able to find any other documentation or
     package where this is actually defined, corrections welcomed!

FWIW, the squeeze Release Notes contains a text about that [13], but
this does not say anything about boot or single-user mode:

  5.6.3. network-manager and ifupdown interaction

  Upon upgrading the network-manager package, interfaces configured in
  /etc/network/interfaces to use DHCP with no other options will be
  disabled in that file, and handled by NetworkManager instead.
  Therefore the ifup and ifdown commands will not work.  These
  interfaces can be managed using the NetworkManager frontends instead,
  see the NetworkManager documentation.

  Conversely, any interfaces configured in /etc/network/interfaces with
  more options will be ignored by NetworkManager.  This applies in
  particular to wireless interfaces used during the installation of
  Debian (see bug #606268).

[13] <http://www.debian.org/releases/stable/i386/release-notes/ch-information.en.html#id333260>

To summarize, how to reproduce this bug:
1) install a standard 6.0.0/squeeze
2) install libpam-ldap and libnss-ldap
      LDAP server URI: ldap://db.debian.org
      Search base: dc=debian,dc=org
      LDAP version to use: 3
      LDAP account for root: cn=manager,dc=example,dc=net
      LDAP root account password: [simply press ENTER]
      Make local root Database admin: Yes
      Does the LDAP database require login: No
3) in /etc/nsswitch.conf enable LDAP lookup for passwd, group, shadow
   and hosts
4) reboot & enjoy

After having read /usr/share/doc/network-manager/README.Debian, there
are two ways to fix it:

a) setting 'Managed mode' in /etc/NetworkManager/NetworkManager.conf for
   ifupdown.  This should be the default, since again according to the
   Debian Reference [12][14]:

     5.3. The legacy network connection and configuration

     When the method described in Section 5.2, “The modern network
     configuration for desktop” does not suffice your needs, you should
     use the legacy network connection and configuration method which
     combines many simpler tools.

     [...]

     The ifupdown package is the de facto standard for such high level
     network configuration system on Debian. It enables you to bring up
     network simply by doing , e.g., "ifup eth0". Its configuration file
     is the "/etc/network/interfaces" file and its typical contents are
     the following.

   So, either we remove completely /etc/network/interfaces or
   network-manager must cope with that, full stop.  Which means also
   that it must know about /etc/network/run/ifstate [15].

   Funny enough, nmcli [16] manpage contains the following:

     DESCRIPTION
	nmcli is a command-line tool for controlling NetworkManager
	and getting its status.  It is not meant as a replacement of
	nm-applet or other similar clients.  Rather it's a
	complementary utility to these programs.  The main nmcli's
	usage is on servers, headless machines or just for power
	users who prefer the command line.

	The use cases comprise:

	--  Initscripts: ifup/ifdown can utilize NetworkManager via
	    nmcli instead of having to manage connections itself and
	    possible interfere with NetworkManager.

b) leaving 'Unmanaged mode' in /etc/NetworkManager/NetworkManager.conf
   using the 'System settings' with the ifupdown plugin [17] and
   removing the '#NetworkManager#' comment in /etc/network/interfaces,
   but obviously eth0 is marked as not managed in the NM applet.

[14] <http://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_legacy_network_connection_and_configuration>
[15] <http://bugs.debian.org/416526>
[16] seriously, with the other tools being called nm-$TOOL, why this one
     is nm$TOOL?
[17] why is the ifupdown plugin enabled by default if network-manager
     does not use /etc/network/interfaces at all?

If there is something I can do to help solving this bug as per point a)
just above, please let me know: I am not such a skilled programmer,
nevertheless doing test does not scare me.

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: 6.0
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  dbus                    1.2.24-4         simple interprocess messaging syst
ii  isc-dhcp-client         4.1.1-P1-15      ISC DHCP client
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libdbus-1-3             1.2.24-4         simple interprocess messaging syst
ii  libdbus-glib-1-2        0.88-2.1         simple interprocess messaging syst
ii  libgcrypt11             1.4.5-2          LGPL Crypto library - runtime libr
ii  libglib2.0-0            2.24.2-1         The GLib library of C routines
ii  libgnutls26             2.8.6-1          the GNU TLS library - runtime libr
ii  libgudev-1.0-0          164-3            GObject-based wrapper library for 
ii  libnl1                  1.1-6            library for dealing with netlink s
ii  libnm-glib2             0.8.1-6          network management framework (GLib
ii  libnm-util1             0.8.1-6          network management framework (shar
ii  libpolkit-gobject-1-0   0.96-4           PolicyKit Authorization API
ii  libuuid1                2.17.2-9         Universally Unique ID library
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  udev                    164-3            /dev/ and hotplug management daemo
ii  wpasupplicant           0.6.10-2.1       client support for WPA and WPA2 (I

Versions of packages network-manager recommends:
ii  dnsmas 2.55-2                            A small caching DNS proxy and DHCP
ii  iptabl 1.4.8-3                           administration tools for packet fi
ii  modemm 0.4+git.20100624t180933.6e79d15-2 D-Bus service for managing modems
ii  policy 0.96-4                            framework for managing administrat
ii  ppp    2.4.5-4                           Point-to-Point Protocol (PPP) - da

Versions of packages network-manager suggests:
pn  avahi-autoipd                 <none>     (no description available)

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20110223/2d8a7591/attachment.pgp>


More information about the Pkg-utopia-maintainers mailing list