BAAN LDAP login broken
Description
Users could not login on BAAN on Thu, July 15th from 9:55 to 10:25. Only the users defined in LDAP were affected (all system-related users were working OK).Impact
(Input from GS-AIS) Users already connected were not affected. The problem occurred with users trying to open a new connection. Some people from the stores replenishment (msanchez, crechard) were unable to do their job till the problem was solved. Luckily the incident occurred late in the morning when most users were connected.Time line of the incident
- 2010-06-29 14:32 - Email from IT-PES about "reconfiguration of LDAP for SLC5 / RHES5" done "in preprod only for SLC5 / RHES5 boxes"
- 2010-07-15 09:50 - All Quattor-managed nodes notified for a spma-ncm run by IT-PES
- 2010-07-15 09:55 -
ncm-authconfigruns ondbsrvd236, changing/etc/pam.d/system-authand/etc/ldap.conf - 2010-07-15 10:22 - Email from GS-AIS signaling the problem
- 2010-07-15 10:25 - Acknowledged the problem and started investigating by checking the usual suspects (
/etc/ldap.confand/etc/pam.d/system-auth) - 2010-07-15 10:26 - Files were modified at 9:55, restored the old ones (
ncm-authconfigrenames the old ones with a.oldsuffix) - 2010-07-15 10:28 - Notified GS-AIS of the workaround
- 2010-07-15 10:29 - Confirmation that users could successfully login
Analysis
- The change was affecting the LDAP authentication configuration and package version, and it turned out to affect also SLC4/RH4 that are using the so-called "Zuul" method for LDAP authentication.
- The culprit was the Kerberos method that was inserted in
/etc/pam.d/system-authby the new version ofncm-authconfig. This kind of setting makes system logins work, but BAAN logins fail since apparentlypam_krb5is not supported byblogind. - The permanent fix is to explicitly disable Kerberos authentication on the
ncm-authconfigtemplate
Follow up
- The permanent fix is to explicitly disable Kerberos authentication on the
ncm-authconfigtemplate - 2010-07-15 16:30 - Started testing a permanent fix on BAAN spare server
- 2010-07-16 12:45 - Permanent fix successfully deployed and tested on BAAN spare and BAANv6
- 2010-07-19 13:30 - Permanent fix successfully deployed on BAAN
Topic revision: r4 - 2010-07-29 - GiacomoTenaglia
DB Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback