Date: Wed, 01 Feb 2012 09:55:27 +0100 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: Benjamin Lee <ben@b1c1l1.com> Cc: Current FreeBSD <freebsd-current@freebsd.org> Subject: Re: using nscd (ldap) makes passwd/group disappearing while installing ports Message-ID: <4F28FDFF.10606@mail.zedat.fu-berlin.de> In-Reply-To: <4F28814D.2030804@b1c1l1.com> References: <4F287338.8000002@zedat.fu-berlin.de> <4F28814D.2030804@b1c1l1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig502E466900026E2182338830 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 02/01/12 01:03, Benjamin Lee wrote: > On 01/31/2012 03:03 PM, O. Hartmann wrote: >> I'm using on a couple of servers the nameservice cache dameon nscd and= >> cache "group", "passwd" and "sudoers". Backend is LDAP, but local file= s >> should searched first. then ldap. cache is searched the very first eve= n >> before files. >> >> Well, I'd expect that if a group is present, like "cups" or "dhcp" and= >> reside in the local file (/etc/group or /etc/passwd), they are cached.= >> >> Installing net/isc-dhcp42-server fails with this error: >> >> >> gmake[1]: Leaving directory >> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2/server' >> gmake[1]: Entering directory >> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2' >> gmake[1]: Nothing to be done for `all-am'. >> gmake[1]: Leaving directory >> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2' >> =3D=3D=3D> Installing for isc-dhcp42-server-4.2.3_2 >> =3D=3D=3D> Generating temporary packing list >> =3D=3D=3D> Creating users and/or groups. >> Creating group `dhcpd' with gid `136'. >> pw: group disappeared during update >> *** Error code 70 >> >> Stop in /usr/ports/net/isc-dhcp42-server. >> *** Error code 1 >> >> Stop in /usr/ports/net/isc-dhcp42-server. >=20 > What's going on is: >=20 > 1) The port checks if the group exists > 2) nscd caches that the group does not exist in its negative cache > 3) pw(8) creates the group then checks if it exists > 4) nscd returns the negative cache entry (group does not exist) >=20 > This causes pw(8) to error since it expects the group that it just > created to exist. >=20 >> I also have this error very often when rebuilding/updating or even >> installing cups when "nscd" is enabled. A simple restart of nscd helps= >> in most cases, most times I need to disable "cache" tag in >> /etc/nsswitch.conf, then everything runs smooth. >> >> Well, this behaviour is since a couple of years now, occurs sporadic. = I >> have had in FreeBSD 7, 8, 9 and I see it in 10. What is it? >> >> I like the cache facility, since in domains with a lot of users >> searching LDAP takes some time and caching help keeping traffic and >> latency short. But the namservice caching mechanism seems to be >> unreliable. What is up there? >=20 > You should put "files" before "cache" in /etc/nsswitch.conf, e.g.: >=20 > group: files cache ldap > passwd: files cache ldap >=20 > The problem is that tools that modify the passwd and group files, like > pw(8), don't invalidate nscd's negative cache entries when making > changes. >=20 >=20 Thank you for the explanation. Cheers, Oliver --------------enig502E466900026E2182338830 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iF4EAREIAAYFAk8o/gUACgkQU6Ni+wtCKv9pBAD6AvX//Pzw2+ktIoncr1iyfsYG tKQFY1OCEkJO57MunCcA/2h4qNUs+5/GcH/8kuiU75EuRvLQea6/i7+XYsrsWpzQ =Csob -----END PGP SIGNATURE----- --------------enig502E466900026E2182338830--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F28FDFF.10606>