Problem with sftp server, static linking, pam and nss_ldap.

Piotr Buliński bulinskp at
Thu Jan 28 22:19:59 UTC 2010


recently we moved our users database to LDAP server, but after that sftp stops working on our students server. 

We use:
 - OpenLDAP 2.4.21
 - nss_ldap-1.265_3
 - pam_ldap-1.8.5
 - FreeBSD 9.0-CURRENT amd64

When I use sftp, it drops the connection:

{volt}-{~}% sftp localhost
Connecting to localhost...
Connection closed

After short investigation, I've found that problem is in /usr/libexec/sftp-server program (which is our default subsystem in sshd):

{volt}-{~}% /usr/libexec/sftp-server 
No user found for uid 5567

what was quite weird, because sshd works perfectly with users from LDAP server (so I assume that PAM is configured correctly).

After that, I've tried to make a simple test with program below:

#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>

main(int argc, char **argv)
 struct passwd *user_pw;

 user_pw = getpwuid(getuid());

 if ((user_pw = getpwuid(getuid())) == NULL) {
   fprintf(stderr, "No user found for uid %lu\n",
   return 1;
 } else {
   fprintf(stderr, "It works %s!\nYour uid is: %lu\n",

 return 0;

which is almost copy-pasted from /usr/src/crypto/openssh/sftp-server-main.c

I've build it twice. Once with dynamic linking:

{volt}-{~}% cc -o test test.c         
{volt}-{~}% ./test
It works bulinskp!
Your uid is: 5567

another one with static linking:

{volt}-{~}% cc -o test -static test.c
{volt}-{~}% ./test                   
No user found for uid 5567

As you can see, it works great with dynamic linking, but if it's build with static linking it can't get user information from LDAP database.

Could you be so kind and help me better understand this problem and find some solution for it (I spend some time trying to find it, but this is probably beyond my scope)?

I would be really appreciate for any tip.

Below are information about my PAM and NSS configuration:

{volt}-{~}% cat /etc/nsswitch.conf | grep passwd
passwd: files ldap

{volt}-{~}% cat /etc/pam.d/sshd | grep -v "^#" | grep -v "^$"
auth		sufficient		no_warn no_fake_prompts
auth		requisite	no_warn allow_local
auth		requisite       /usr/local/lib/	debug
auth            sufficient      /usr/local/lib/  no_warn
auth		required		no_warn try_first_pass
account		required
account		required
account         required        /usr/local/lib/      no_warn ignore_authinfo_unavail ignore_unknown_user
account		required
session		required
session         sufficient      /usr/local/lib/ no_warn try_first_pass 
password	required		no_warn try_first_pass

Piotr Buliński
Informatyka na Wydziale Elektrycznym
Politechnika Warszawska

More information about the freebsd-questions mailing list