Bugzilla – Bug 137793
setting samba-client requires disabling nscd cache
Last modified: 2006-03-13 23:40:10 UTC
Looks like when yast2-samba-client is configured with Active Directory, nscd cache for passwd and group has to be disabled. However I don't like doing this without notising user and without giving him the possibility to revert this settings. Several questions arise here: - why is it necessary to remove the cache? Isn't it rather bug somewhere else (in pam_winbind...)? If so, it should be fixed at the place where it is broken. - in yast2-samba-client it is possible to add a checbox for this setting, which would gave the information to user and possibility to (not) accept it. Is it correct to add this setting here, while other authentication methods don't require it? Stano, could you comment?
Created attachment 60195 [details] screenshot of yast2-samba-client checkbox
This requirement is caused by the caching nature of winbind itself. It uses sequence numbers (either from the SAM (NT4) or LDAP (ADS)) to maintain cached entries. When nscd is running NSS requests do not reach winbindd directly because they are answered by nscd and therefor winbind can't hold it's own cache consistent. For winbind it is necessary that it receives NSS requests directly to e.g. cleanup older entries.
Unfortunately nscd does not allow to disable caching per backend (only globally per service).
Thorsten: How hard is it to implement caching per backend?
(In reply to comment #4) > Thorsten: How hard is it to implement caching per backend? Impossible. nscd does not know anything about single service, this is still done by the glibc NSS functions. nscd only caches the result of getpwnam_r() and similar function calls, nothing else.
(In reply to comment #2) > This requirement is caused by the caching nature of winbind itself. It uses > sequence numbers (either from the SAM (NT4) or LDAP (ADS)) to maintain cached > entries. When nscd is running NSS requests do not reach winbindd directly nscd caches getpwnam_r(), not the underlying NSS requests. > because they are answered by nscd and therefor winbind can't hold it's own > cache consistent. For winbind it is necessary that it receives NSS requests > directly to e.g. cleanup older entries. Then something in winbind is broken. Where is the difference if an application like ls or tar caches the getpwnam_r() result itself or if a daemon is doing that? Why should it work/does it work with ls and tar and not with nscd?
(In reply to comment #0) > - why is it necessary to remove the cache? Isn't it rather bug somewhere else > (in pam_winbind...)? If so, it should be fixed at the place where it is broken. pam_winbind is a PAM module and should have nothing to do with NSS and nscd. PAM is something complety different than NSS.
ad comment #6 > Then something in winbind is broken. Where is the difference if an application > like ls or tar caches the getpwnam_r() result itself or if a daemon is doing > that? Why should it work/does it work with ls and tar and not with nscd? Lars, Guenther: can you comment? What is the correct solution? JFYI: it is - technically - easy to "solve" it on the YaST level, but solving it this way looks like workaround for some bug which is deeper. BTW, it was already discussed earlier, at some time yast2-samba-client used to disable nscd, then not and now it is required again.
Lars - any news?
Looks like Lars has vacations - Guenther, can you answer?
Any news here? If I won't have an answer, it cannot be implemented... (subproblem: if it requires new texts for YaST, e.g. for a checkbox, it might not get implemented because of the text freeze...)
We, Günther and me, had a discussion regarding this. Günther will provide the current state till 2006-01-14.
Uhm, the comment is still missing. I propose just to stop nscd when winbind is set for authentication as it used to be in older yast2-samba-client. (btw, i'm in NBG this week)
any news?
Sorry, but no information => no action.
Reopen as Günther should provide the missing information. See comment #12.
btw, what's the relation with bug #143927?
Ok, after thinking a little more about that I discovered libnscd which could be quite usefull for us. If I understand that library correct, it will allow us to flush the nscd caches for passwd and group at any time (in particular after we are switching from offline to online mode, Jiri, this is the relation with bug 143927). It still needs some more testing but I think with the attached patch we can cope with nscd running better. Thorsten, do I use libnscd correct here?
Created attachment 72204 [details] flush nscd cashes at least after coming back online
libnscd will only flush the cache, nscd will not reread any configuration files. If this is what you wish to archive, the patch looks correct.
Ok, thanks Thorsten. Fixed upstream and committed to autobuild. We might need to pull a flush_nscd_cache also when starting offline later... but closing for now.