passwd ldap request to ActiveDirectory fails on half of 2500 users

Question

We just setup ActiveDirectory in my company and imported all linux users and groups.

On the linux client: (configured to ask ldap in nsswitch.conf):

If i do a common ldapsearch to the AD ldap server i get the complete number of about 2580 users. But if i do this it only gets a part of all users, 1221 in number:

getent passwd | wc -l

Running it with strace shows kind of attempt to reconnect

My ideas were: Does the linux authentication procedure run ldapsearch with a parameter incompatible to AD ldap ? Or probably it is a encoding issue. The windows user are entered in AD with all kind of characters.

Maybe someone could shed light on this and give a hint how to debug that further!?

Here's our ldap.conf

host audc01.mycompany.de audc03.mycompany.de
base ou=location,dc=mycompany,dc=de
ldap_version 3
binddn cn=manager,ou=location,dc=mycompany,dc=de
bindpw Password
timelimit 120
idle_timelimit 3600

nss_base_passwd cn=users,cn=import,ou=location,dc=mycompany,dc=de?sub
nss_base_group ou=location,dc=mycompany,dc=de?sub

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount User
# nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid sAMAccountName
nss_map_attribute cn sAMAccountName
# Display Name
nss_map_attribute gecos cn
##
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute loginShell msSFU30LoginShell

# PAM attributes
pam_login_attribute sAMAccountName
# Location based login
pam_groupdn CN=Location-AU-Login,OU=au,OU=Location,DC=mycompany,DC=de
pam_member_attribute msSFU30PosixMember
##
pam_lookup_policy yes
pam_filter objectclass=User

nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,statd,sync,sys,syslog,usbmux,uucp,www-data

and here the stacktrace from

strace getent passwd

poll([{fd=4, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 120000) = 1 ([{fd=4, revents=POLLIN}])
read(4, "0\204\0\0\0A\2\1", 8)          = 8
read(4, "\4e\204\0\0\0\7\n\1\0\4\0\4\0\240\204\0\0\0+0\204\0\0\0%\4\0261.2."..., 63) = 63
stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=1151, ...}) = 0
geteuid32()                             = 12560
getsockname(4, {sa_family=AF_INET, sin_port=htons(60334), sin_addr=inet_addr("10.1.35.51")}, [16]) = 0
getpeername(4, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.1.5.81")}, [16]) = 0
time(NULL)                              = 1297684722
rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0
munmap(0xb7617000, 1721)                = 0
close(3)                                = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGPIPE, {SIG_DFL, [], 0}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], 0}, {SIG_DFL, [], 0}, 8) = 0
write(4, "0\5\2\1\5B\0", 7)             = 7
shutdown(4, 2 /* send and receive */)   = 0
close(4)                                = 0
shutdown(-1, 2 /* send and receive */)  = -1 EBADF (Bad file descriptor)
close(-1)                               = -1 EBADF (Bad file descriptor)
exit_group(0)                           = ?

Answer 1

You may be running into the AD LDAP page-size limit. I don't remember what that is off the top of my head, but it does mean that the LDAP client needs to be able to support the paging extension. This retrieves large queries in chunks of a specific size. Our tree has close to 30,000 accounts in it once you count in Computers and Users, so getting it requires paging support. It could be that passwd getent doesn't support it, but querying individual users works just fine.