On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote: > On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > > On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > > > > Hello, > > > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > > the answer. Is there a way to change this. > > > > > > man nsswitch.conf(5) > > > Look for Status codes and Actions > > > > Doesn't work. Tried the follwing nsswitch.conf > > group: files [success=return] ldap > > hosts: files dns > > networks: files > > passwd: files [success=return] ldap > > shells: files > > > > This doesn't change the delay. And the nss_ldap timeout is still reported. > > This is not supprising because the manpage states [success=return] is > > default. > > > > Seams there is a bug somewhere. > > It's a well-known problem rather than a bug, and it arises when looking up > group information for a user. The system needs a list of all the groups the > user is a member of. Since it's a list, not a single answer, you can't > short-circuit the process with ``success'' after finding a single result: > initgroups(3) must work through all possible sources of group information to > build the list.
I think its still a bug. You are right that all groups should be found so
the default for groups should be success=continue to have this done. But
when I explicily specify that on success the process should abort, it
should be done exacly this way.
> The only ``workaround'' I've seen suggested is the parameter introduced
> recently in nss_ldap:
>
> nss_initgroups_ignoreusers
>
> It takes a comma-separated list of users for whom the nss_ldap initgroups
> routine should immediately return NSS_STATUS_NOTFOUND. If you keep group
> information for all the system users in /etc/group only, and add them all to
> this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't
> tested this).
This may fix the problem with nss_ldap but its still there with other
modules.
Bye
Estartu
--
----------------------------------------------------------------------------
Gerhard Schmidt | Nick : estartu IRC : Estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request
Germany | |
pgpSRTSjZBJDk.pgp
Description: PGP signature
