Problem with sftp server, static linking, pam and nss_ldap.

Piotr Buliński bulinskp at iem.pw.edu.pl
Thu Jan 28 22:19:59 UTC 2010 

Hello,

recently we moved our users database to LDAP server, but after that sftp stops working on our students server. 

We use:
 - OpenLDAP 2.4.21
 - nss_ldap-1.265_3
 - pam_ldap-1.8.5
 - FreeBSD 9.0-CURRENT amd64

When I use sftp, it drops the connection:

{volt}-{~}% sftp localhost
Connecting to localhost...
Connection closed
{volt}-{~}% 

After short investigation, I've found that problem is in /usr/libexec/sftp-server program (which is our default subsystem in sshd):

{volt}-{~}% /usr/libexec/sftp-server 
No user found for uid 5567
{volt}-{~}% 

what was quite weird, because sshd works perfectly with users from LDAP server (so I assume that PAM is configured correctly).

After that, I've tried to make a simple test with program below:

=======================
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>

int
main(int argc, char **argv)
{
 struct passwd *user_pw;

 user_pw = getpwuid(getuid());

 if ((user_pw = getpwuid(getuid())) == NULL) {
   fprintf(stderr, "No user found for uid %lu\n",
       (u_long)getuid());
   return 1;
 } else {
   fprintf(stderr, "It works %s!\nYour uid is: %lu\n",
       user_pw->pw_name,
       (u_long)getuid());
 }

 return 0;
}
=======================

which is almost copy-pasted from /usr/src/crypto/openssh/sftp-server-main.c

I've build it twice. Once with dynamic linking:

{volt}-{~}% cc -o test test.c         
{volt}-{~}% ./test
It works bulinskp!
Your uid is: 5567
{volt}-{~}% 

another one with static linking:

{volt}-{~}% cc -o test -static test.c
{volt}-{~}% ./test                   
No user found for uid 5567
{volt}-{~}% 

As you can see, it works great with dynamic linking, but if it's build with static linking it can't get user information from LDAP database.


Could you be so kind and help me better understand this problem and find some solution for it (I spend some time trying to find it, but this is probably beyond my scope)?

I would be really appreciate for any tip.

Below are information about my PAM and NSS configuration:

{volt}-{~}% cat /etc/nsswitch.conf | grep passwd
passwd: files ldap
{volt}-{~}% 

{volt}-{~}% cat /etc/pam.d/sshd | grep -v "^#" | grep -v "^$"
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		requisite       /usr/local/lib/pam_af.so	debug
auth            sufficient      /usr/local/lib/pam_ldap.so  no_warn
auth		required	pam_unix.so		no_warn try_first_pass
account		required	pam_nologin.so
account		required	pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      no_warn ignore_authinfo_unavail ignore_unknown_user
account		required	pam_unix.so
session		required	pam_permit.so
session         sufficient      /usr/local/lib/pam_ldap.so no_warn try_first_pass 
password	required	pam_unix.so		no_warn try_first_pass
{volt}-{~}% 

regards
-- 
Piotr Buliński
Informatyka na Wydziale Elektrycznym
Politechnika Warszawska

More information about the freebsd-questions mailing list