Re: using nscd (ldap) makes passwd/group disappearing while
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig502E466900026E2182338830
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 02/01/12 01:03, Benjamin Lee wrote:
> On 01/31/2012 03:03 PM, O. Hartmann wrote:
>> I'm using on a couple of servers the nameservice cache dameon nscd and=
>> cache "group", "passwd" and "sudoers". Backend is LDAP, but local file=
s
>> should searched first. then ldap. cache is searched the very first eve=
n
>> before files.
>>
>> Well, I'd expect that if a group is present, like "cups" or "dhcp" and=
>> reside in the local file (/etc/group or /etc/passwd), they are cached.=
>>
>> Installing net/isc-dhcp42-server fails with this error:
>>
>>
>> gmake[1]: Leaving directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2/server'
>> gmake[1]: Entering directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2'
>> gmake[1]: Nothing to be done for `all-am'.
>> gmake[1]: Leaving directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2'
>> =3D=3D=3D> Installing for isc-dhcp42-server-4.2.3_2
>> =3D=3D=3D> Generating temporary packing list
>> =3D=3D=3D> Creating users and/or groups.
>> Creating group `dhcpd' with gid `136'.
>> pw: group disappeared during update
>> *** Error code 70
>>
>> Stop in /usr/ports/net/isc-dhcp42-server.
>> *** Error code 1
>>
>> Stop in /usr/ports/net/isc-dhcp42-server.
>=20
> What's going on is:
>=20
> 1) The port checks if the group exists
> 2) nscd caches that the group does not exist in its negative cache
> 3) pw(8) creates the group then checks if it exists
> 4) nscd returns the negative cache entry (group does not exist)
>=20
> This causes pw(8) to error since it expects the group that it just
> created to exist.
>=20
>> I also have this error very often when rebuilding/updating or even
>> installing cups when "nscd" is enabled. A simple restart of nscd helps=
>> in most cases, most times I need to disable "cache" tag in
>> /etc/nsswitch.conf, then everything runs smooth.
>>
>> Well, this behaviour is since a couple of years now, occurs sporadic. =
I
>> have had in FreeBSD 7, 8, 9 and I see it in 10. What is it?
>>
>> I like the cache facility, since in domains with a lot of users
>> searching LDAP takes some time and caching help keeping traffic and
>> latency short. But the namservice caching mechanism seems to be
>> unreliable. What is up there?
>=20
> You should put "files" before "cache" in /etc/nsswitch.conf, e.g.:
>=20
> group: files cache ldap
> passwd: files cache ldap
>=20
> The problem is that tools that modify the passwd and group files, like
> pw(8), don't invalidate nscd's negative cache entries when making
> changes.
>=20
>=20
Thank you for the explanation.
Cheers,
Oliver
--------------enig502E466900026E2182338830
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iF4EAREIAAYFAk8o/gUACgkQU6Ni+wtCKv9pBAD6AvX//Pzw2+ktIoncr1iyfsYG
tKQFY1OCEkJO57MunCcA/2h4qNUs+5/GcH/8kuiU75EuRvLQea6/i7+XYsrsWpzQ
=Csob
-----END PGP SIGNATURE-----
--------------enig502E466900026E2182338830--
討論串 (同標題文章)
完整討論串 (本文為第 2 之 4 篇):