Encountered a very strange problem recently. I could ssh to my FreeBSD box, but from my FreeBSD box I could not ssh anywhere else and kept receiving the following error message every time I tried to ssh to another system: “You don’t exist, go away!”
`--> ssh microsoft.com You don't exist, go away! `--> ssh google.com You don't exist, go away! `--> ssh netbsd You don't exist, go away!
What made this strange was the output from “id” command:
`--> id uid=8101 gid=5000 groups=5000,0(wheel),80,5001,44575
The output from “id” was strange because in addition to my numeric uid of 8101, and numeric gid of 5000 it should have also shown the output of the username for uid 8101 and the group name for gid 5000. However, that did not happen. Only the numeric values were shown, except for the auxiliary group 0 (wheel). This lead me to the next clue that the missing values were not being fetched from the ldap server. The clue is the wheel group is local. To test my assumption I performed “getent passwd” to see if ldap accounts would appear:
`--> getent passwd root:*:0:0:Uncle Charlie:/root:/bin/csh daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin ...edited for clarity... amanda:*:140:140:Amanda Daemon:/nonexistent:/usr/sbin/nologin puppet:*:814:814:Puppet Daemon:/nonexistent:/sbin/nologin
My assumption was correct. The ldap accounts were not being read. Well, the next logical step was to consult the /etc/nsswitch.conf file, which was valid with correct entries:
# # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 188.8.131.52 2009/08/03 08:13:06 kensmith Exp $ # group: files ldap hosts: files dns networks: files passwd: files ldap ...edited...
What about the /opt/etc/nss_ldap file?
`--> cat /opt/etc/nss_ldap.conf cat: /opt/etc/nss_ldap.conf: Permission denied
Ah, ha! I think I know what the problem might be:
`--> ls -l /opt/etc/nss_ldap.conf lrwxr-xr-x 1 root wheel 18 Mar 23 2011 /opt/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf `--> ls -lL /opt/etc/nss_ldap.conf -rw------- 1 root wheel 579 Sep 17 09:40 /usr/local/etc/nss_ldap.conf
Got it! Do you know what the problem was? It was not because nss_ldap was a symbolic link to ldap.conf. I’ll leave this up to the reader. But after the fix, the “id” command showed the proper output as expected:
`--> id uid=8101(swinful) gid=5000(winfulco) groups=5000(winfulco),0(wheel),80(www),5001(users),44575(Directory Administrators)