[ssh] You don’t exist, go away!

Encountered a very strange problem recently. I could ssh to my FreeBSD box, but from my FreeBSD box I could not ssh anywhere else and kept receiving the following error message every time I tried to ssh to another system: “You don’t exist, go away!”

`--> ssh microsoft.com
You don't exist, go away!

`--> ssh google.com
You don't exist, go away!

`--> ssh netbsd
You don't exist, go away!

What made this strange was the output from “id” command:

`--> id
uid=8101 gid=5000 groups=5000,0(wheel),80,5001,44575

The output from “id” was strange because in addition to my numeric uid of 8101, and numeric gid of 5000 it should have also shown the output of the username for uid 8101 and the group name for gid 5000. However, that did not happen. Only the numeric values were shown, except for the auxiliary group 0 (wheel). This lead me to the next clue that the missing values were not being fetched from the ldap server. The clue is the wheel group is local. To test my assumption I performed “getent passwd” to see if ldap accounts would appear:

`--> getent passwd
root:*:0:0:Uncle Charlie:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
...edited for clarity...
amanda:*:140:140:Amanda Daemon:/nonexistent:/usr/sbin/nologin
puppet:*:814:814:Puppet Daemon:/nonexistent:/sbin/nologin

My assumption was correct. The ldap accounts were not being read. Well, the next logical step was to consult the /etc/nsswitch.conf file, which was valid with correct entries:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1 2009/08/03 08:13:06 kensmith Exp $
#
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
...edited...

What about the /opt/etc/nss_ldap file?

`--> cat /opt/etc/nss_ldap.conf
cat: /opt/etc/nss_ldap.conf: Permission denied

Ah, ha! I think I know what the problem might be:

`--> ls -l /opt/etc/nss_ldap.conf
lrwxr-xr-x  1 root  wheel  18 Mar 23  2011 /opt/etc/nss_ldap.conf -> /usr/local/etc/ldap.conf

`--> ls -lL /opt/etc/nss_ldap.conf
-rw-------  1 root  wheel  579 Sep 17 09:40 /usr/local/etc/nss_ldap.conf

Got it! Do you know what the problem was? It was not because nss_ldap was a symbolic link to ldap.conf. I’ll leave this up to the reader. But after the fix, the “id” command showed the proper output as expected:

`--> id
uid=8101(swinful) gid=5000(winfulco) groups=5000(winfulco),0(wheel),80(www),5001(users),44575(Directory Administrators)