On Tue, Mar 13, 2007 at 10:01:09AM +0200, Jonathan McKeown wrote: > On Tuesday 13 March 2007 09:16, Gerhard Schmidt wrote: > > On Tue, Mar 13, 2007 at 12:07:15AM +0100, Pietro Cerutti wrote: > > > On 3/12/07, Gerhard Schmidt <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > > > > Hello, > > > > > > >As I see it, nss asks all sources even if the frist one allready knows > > > > the answer. Is there a way to change this. > > > > > > man nsswitch.conf(5) > > > Look for Status codes and Actions > > > > Doesn't work. Tried the follwing nsswitch.conf > > group: files [success=return] ldap > > hosts: files dns > > networks: files > > passwd: files [success=return] ldap > > shells: files > > > > This doesn't change the delay. And the nss_ldap timeout is still reported. > > This is not supprising because the manpage states [success=return] is > > default. > > > > Seams there is a bug somewhere. > > It's a well-known problem rather than a bug, and it arises when looking up > group information for a user. The system needs a list of all the groups the > user is a member of. Since it's a list, not a single answer, you can't > short-circuit the process with ``success'' after finding a single result: > initgroups(3) must work through all possible sources of group information to > build the list.
I think its still a bug. You are right that all groups should be found so the default for groups should be success=continue to have this done. But when I explicily specify that on success the process should abort, it should be done exacly this way. > The only ``workaround'' I've seen suggested is the parameter introduced > recently in nss_ldap: > > nss_initgroups_ignoreusers > > It takes a comma-separated list of users for whom the nss_ldap initgroups > routine should immediately return NSS_STATUS_NOTFOUND. If you keep group > information for all the system users in /etc/group only, and add them all to > this line in nss_ldap.conf, it should remove the problem. (Warning: I haven't > tested this). This may fix the problem with nss_ldap but its still there with other modules. Bye Estartu -- ---------------------------------------------------------------------------- Gerhard Schmidt | Nick : estartu IRC : Estartu | Fischbachweg 3 | | PGP Public Key 86856 Hiltenfingen | EMail: [EMAIL PROTECTED] | on request Germany | |
pgpSRTSjZBJDk.pgp
Description: PGP signature