Re: Does anyone use nscd?
Nope, because of http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/130749 -- Andrey Zonov 04.10.2011 19:20, Dag-Erling Smørgrav пишет: Does anyone actually use nscd? ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, Oct 11, 2011 at 1:42 PM, per...@pluto.rain.com wrote: Doug Barton do...@freebsd.org wrote: On 10/10/2011 11:55, David Brodbeck wrote: Is there any reason to cache negative hits? It's very important for DNS since there are a fairly large number of misbehaving applications that don't stop querying until they get some kind of answer. Would this need be sufficiently covered if negative cache timeout were set to, say, 1/4 of a second? That should be short enough to cover virtually any instance in which a missing entry is added manually and the new entry then needs to be found. You can actually change negative caching timeout as well as turn it off completely. There's negative-time-to-live option in nscd.conf (see http://www.freebsd.org/cgi/man.cgi?query=nscd.conf). Unfortunately it accepts only integer number of seconds, so 1/4 of a second is impossible. But you can turn negative caching off completely by setting negative-time-to-live to 0. And speaking of DNS, while I think that improving nscd is a good goal I wonder how much use it will be in the world to come when DNSSEC becomes more important ... Is there something about DNSSEC that makes it fundamentally incompatible with a local cache such as nscd, or is it simply a matter of nscd needing a bit of work to support DNSSEC? ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Am 11.10.2011 10:32, schrieb Michael Bushkov: On Tue, Oct 11, 2011 at 1:42 PM, per...@pluto.rain.com wrote: Doug Barton do...@freebsd.org wrote: On 10/10/2011 11:55, David Brodbeck wrote: Is there any reason to cache negative hits? It's very important for DNS since there are a fairly large number of misbehaving applications that don't stop querying until they get some kind of answer. Would this need be sufficiently covered if negative cache timeout were set to, say, 1/4 of a second? That should be short enough to cover virtually any instance in which a missing entry is added manually and the new entry then needs to be found. You can actually change negative caching timeout as well as turn it off completely. There's negative-time-to-live option in nscd.conf (see http://www.freebsd.org/cgi/man.cgi?query=nscd.conf). Unfortunately it accepts only integer number of seconds, so 1/4 of a second is impossible. But you can turn negative caching off completely by setting negative-time-to-live to 0. Just an idea, which would slightly complicate the internal logic, but not by too much, IMHO: How about counting negative hits and requiring a *threshold* to be crossed, *before cached negative results are returned*? E.g. if there is a negative response, then put it into the cache with a timeout of e.g. 60 seconds, but do not rely on the cached value but repeat the actual lookup if another query is issued. Only after e.g. 5 queries that were not answered from the cache within the (relatively short) negative cache timeout period, the cached reply is returned as is currently done for the second query already. This would introduce a 3rd state besides known-to-exist and not-to-not-exist. The 3rd state would be expected-to-not-exist and that state would migrate to known-to-not-exist for a (possibly longer time) after it has been confirmed a number of times by repeating the lookup. The code changes should be simple, only needing a counter for the number of retries for a cached negative result. The threshold should be configurable as well as the timeout for the 3rd state. This should cover install scripts (which check just once or twice for the existance of a UID/GID before deciding to create it), but also negative DNS lookups (which would quickly migrate to state known-to-not-exist). Think of this proposal as a rate-limiting of queries for probably not existing entries. There will be the specified number of retries after negative replies within the specified time window. Any other query will be answered from the cached negative entry. But if there is a positive reply, before the retries are used up, the newly defined value will be cached instead of the negative reply without any delay (not even 1/4 of a second). Regards, STefan ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Fri, Oct 7, 2011 at 3:30 AM, Michael Bushkov bush...@freebsd.org wrote: While I agree that nscd negative caching bug should be fixed, it won't help with the problem that users encounter during ports installation. When, for example, user x is added during port install, the following steps are involved: 1. Script checks if x is present in the users list. Nscd is queried, it returns negative and caches negative answer. 2. Script adds user x. 3. Script checks that x have indeed been added. Nscd is queried, cachned negative answer is returned. Script fails as a result. So unless negative caching time is less than the time between steps 1) and 3) the issues during ports installation will persist. Is there any reason to cache negative hits? It seems like you shouldn't see large volumes of them except in some fairly specific circumstances, like extracting a tarball as the root user with invalid UIDs. Maybe I'm missing something, but it seems like turning off negative caching would avoid a lot of potential problems for not much cost. -- David Brodbeck System Administrator, Linguistics University of Washington ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 10/10/2011 11:55, David Brodbeck wrote: Is there any reason to cache negative hits? It's very important for DNS since there are a fairly large number of misbehaving applications that don't stop querying until they get some kind of answer. And speaking of DNS, while I think that improving nscd is a good goal I wonder how much use it will be in the world to come when DNSSEC becomes more important ... -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Mon, Oct 10, 2011 at 1:09 PM, Doug Barton do...@freebsd.org wrote: On 10/10/2011 11:55, David Brodbeck wrote: Is there any reason to cache negative hits? It's very important for DNS since there are a fairly large number of misbehaving applications that don't stop querying until they get some kind of answer. That's a good point. I hadn't thought about it in terms of DNS; we use it mainly for caching LDAP lookups. -- David Brodbeck System Administrator, Linguistics University of Washington ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Doug Barton do...@freebsd.org wrote: On 10/10/2011 11:55, David Brodbeck wrote: Is there any reason to cache negative hits? It's very important for DNS since there are a fairly large number of misbehaving applications that don't stop querying until they get some kind of answer. Would this need be sufficiently covered if negative cache timeout were set to, say, 1/4 of a second? That should be short enough to cover virtually any instance in which a missing entry is added manually and the new entry then needs to be found. And speaking of DNS, while I think that improving nscd is a good goal I wonder how much use it will be in the world to come when DNSSEC becomes more important ... Is there something about DNSSEC that makes it fundamentally incompatible with a local cache such as nscd, or is it simply a matter of nscd needing a bit of work to support DNSSEC? ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Wed, Oct 05, 2011 at 03:54:00PM -0700, Artem Belevich wrote: 2011/10/5 Dag-Erling Sm?rgrav d...@des.no: Michael Bushkov bush...@freebsd.org writes: 2. Consequences of the aforementioned problem can probably be corrected by using _setsockopt(..., SO_NOSIGPIPE) in __open_cached_connection() in nscachedcli.c That sounds like a workaround rather than a fix... Not necessarily. Using SO_NOSIGPIPE is a valid option when someone wants to see read/write on a closed socket fail and return -1 with errno=EPIPE. Quick grep in libc shows that resolver code in lib/libc/resolv/res_send.c also sets SO_NOSIGPIPE for exactly that reason. Disabling SIGPIPE is good anyway because a crashing/dying nscd should not cause applications to terminate. However, if EPIPE/SIGPIPE happens in normal operation, that is still a bug that should be fixed. By the way, SO_NOSIGPIPE is not in POSIX.1-2008 while the MSG_NOSIGNAL flag to send() is. It may be better to replace the write() call with send() with the MSG_NOSIGNAL flag and drop the setsockopt(). -- Jilles Tjoelker ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Ivan Voras ivo...@freebsd.org wrote: On 05/10/2011 09:38, Trond Endrest??l wrote: On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ +1. It's very annoying when installing ports which add users - the port adds it then in some future code checks it and it fails. I've noticed it with at least CUPS. Sounds as if there ought to be a unified mechanism for ports to use when adding users, so that necessary notifications -- e.g. restarting nscd if it is running -- can be done in a standardized way and any necessary customizations can be done in a single place. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Fri, Oct 7, 2011 at 3:05 PM, per...@pluto.rain.com wrote: Ivan Voras ivo...@freebsd.org wrote: On 05/10/2011 09:38, Trond Endrest??l wrote: On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ +1. It's very annoying when installing ports which add users - the port adds it then in some future code checks it and it fails. I've noticed it with at least CUPS. Sounds as if there ought to be a unified mechanism for ports to use when adding users, so that necessary notifications -- e.g. restarting nscd if it is running -- can be done in a standardized way and any necessary customizations can be done in a single place. Or nscd fixed to not permanently cache negative hits. Seems more correct. Cheers Tom ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
While I agree that nscd negative caching bug should be fixed, it won't help with the problem that users encounter during ports installation. When, for example, user x is added during port install, the following steps are involved: 1. Script checks if x is present in the users list. Nscd is queried, it returns negative and caches negative answer. 2. Script adds user x. 3. Script checks that x have indeed been added. Nscd is queried, cachned negative answer is returned. Script fails as a result. So unless negative caching time is less than the time between steps 1) and 3) the issues during ports installation will persist. I like perryh@ idea of fixing it within ports. If we introduce some standard way of adding users/groups then this standard routine can take care of nscd. I don't know how much work this will require though... Cheers, Michael On Fri, Oct 7, 2011 at 11:51 AM, Tom Evans tevans...@googlemail.com wrote: On Fri, Oct 7, 2011 at 3:05 PM, per...@pluto.rain.com wrote: Ivan Voras ivo...@freebsd.org wrote: On 05/10/2011 09:38, Trond Endrest??l wrote: On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ +1. It's very annoying when installing ports which add users - the port adds it then in some future code checks it and it fails. I've noticed it with at least CUPS. Sounds as if there ought to be a unified mechanism for ports to use when adding users, so that necessary notifications -- e.g. restarting nscd if it is running -- can be done in a standardized way and any necessary customizations can be done in a single place. Or nscd fixed to not permanently cache negative hits. Seems more correct. Cheers Tom ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Thu, 2011-10-06 at 00:44:10 -0500, Dan Nelson wrote: In the last episode (Oct 04), Trond Endrestol said: On Tue, 4 Oct 2011 18:51+0200, Dag-Erling Smorgrav wrote: Trond Endrestol trond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjovik Technical College (Fagskolen i Gjovik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. Not in my (somewhat limited) experience. On a tangent, I also heavily recommend using the nss-pam-ldapd port instead of nss_ldap. It includes a daemon called nslcd which is the only process that links to the ldap libary. The nss module is a tiny plug that talks to nslcd using a simple protocol. It really reduces the socket count to your ldap server, and removes the potential namespace problems caused by dlopening libldap.so in every process. Seconded, I had endless troubles with leaked domain sockets and connection problems with nss_ldap and have found that only nss-pam-ldapd + nslcd will work somewhat reliably. Except it still manages to return empty results to sendmail every once in a while (for local delivery). Uli ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 7 Oct 2011 08:13, per...@pluto.rain.com wrote: Ivan Voras ivo...@freebsd.org wrote: On 05/10/2011 09:38, Trond Endrest??l wrote: On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ +1. It's very annoying when installing ports which add users - the port adds it then in some future code checks it and it fails. I've noticed it with at least CUPS. Sounds as if there ought to be a unified mechanism for ports to use when adding users, so that necessary notifications -- e.g. restarting nscd if it is running -- can be done in a standardized way and any necessary customizations can be done in a single place. There is, and I've been trying (with other people) to make older ports respect this framework. Chris ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
In the last episode (Oct 04), Trond Endrestol said: On Tue, 4 Oct 2011 18:51+0200, Dag-Erling Smorgrav wrote: Trond Endrestol trond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjovik Technical College (Fagskolen i Gjovik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. Not in my (somewhat limited) experience. On a tangent, I also heavily recommend using the nss-pam-ldapd port instead of nss_ldap. It includes a daemon called nslcd which is the only process that links to the ldap libary. The nss module is a tiny plug that talks to nslcd using a simple protocol. It really reduces the socket count to your ldap server, and removes the potential namespace problems caused by dlopening libldap.so in every process. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 05/10/2011 09:38, Trond Endrestøl wrote: On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: On 05/10/2011, at 2:30, Michel Talon wrote: Des wrote: Does anyone actually use nscd? I am using it since a lot of time. I have not experienced annoying bugs in all that time. The last time i have been hit is when installing some new softs which require adding some user and some group with pw. Of course this doesn't work well with caching these data, and i had completely forgotten i was using a cache. This is very perplexing. In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ +1. It's very annoying when installing ports which add users - the port adds it then in some future code checks it and it fails. I've noticed it with at least CUPS. signature.asc Description: OpenPGP digital signature
Re: Does anyone use nscd?
On 10/05/11 19:43, Dag-Erling Smørgrav wrote:
[snip]
While we're at it, I'd be very grateful if someone could email me a
quick and dirty guide to setting up an LDAP server for testing. I have
too much on my plate right now to start reading documentation...
A bit dated, but this build guide is reasonably complete and should
pretty much all still be relevant. It has some bits you won't need if
you're just setting something up for quick and dirty testing - I think
they'll be obvious as you're working through it.
Cheers,
Lawrence
- Based mostly on information from these places (among many others!):
- http://www.freebsd.org/doc/en/articles/ldap-auth/index.html
- http://www.openldap.org/doc/admin24/
## USEFUL RANDOM TIDBITS ##
- These pearls of wisdom are useful during set up and debugging
- Use the slapcat tool on the server command line to show you the contents
- of the ldap database in ldif format. This is useful for rolling backups.
- Have a cron job call slapcat every 30 mins and write the output over the top
- of a file which is incrementally backed up
- Example of updating the test user's password as the DB admin
ldappasswd -x -S -H ldap://127.0.0.1 -D 'cn=root,dc=example,dc=com' -W
'uid=test,ou=people,dc=example,dc=com'
- LDAP data is often stored base64 encoded (e.g. userPassword field). Use this
to decode:
echo e0NSWVBUfSQxJEt5T3FxYmdlJDQec3VTLnZUY21rTzRGWENBVVBTMjE= | perl
-MMIME::Base64 -ne 'print decode_base64($_) . \n;'
-To manually update an existing entry's attribute
ldapmodify -x -H ldap://127.0.0.1 -D 'cn=root,dc=example,dc=com' -W -f
testuser.ldif
- With testuser.ldif contents:
dn: uid=test,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {crypt}$1$pUXysTUZ$97r27L6FE21NDtZdNUYRc1
-To delete an existing entry
ldapmodify -x -H ldap://127.0.0.1 -D 'cn=root,dc=example,dc=com' -W -f
testuser.ldif
- With testuser.ldif contents:
dn: uid=test,ou=people,dc=example,dc=com
changetype: delete
- Enable the monitor backend in slapd.conf and run the following query to get
operational info about slapd
ldapsearch -x -H ldap://127.0.0.1 -b 'cn=Monitor' +
- Change the loglevel directive in slapd.conf to conns filter stats to get
useful debugging info in /var/log/debug.log
- Setting debug 1 in pam_ldap.conf and/or nss_ldap.conf will give you some
useful debugging info on the client side in /var/log/debug.log
-
## END USEFUL RANDOM TIDBITS ##
## SERVER CONFIG ##
- Add the following lines to /etc/make.conf to make the FreeBSD ports system
- use LDAP 2.4.x for ports that require LDAP (default uses 2.3.x)
# Use OpenLDAP 2.4.x
WANT_OPENLDAP_VER=24
- Install openldap server
cd /usr/ports/net/openldap24-server
make install clean
- Select options: SASL, PASSWD, PERL, ODBC, TCP_WRAPPERS, BDB, SEQMOD,
SYNCPROV, DYNAMIC_BACKENDS
- Create a certificate/key for encrypted comms with the LDAP server
mkdir /usr/local/certs
openssl req -new -x509 -days 1825 -nodes -out /usr/local/certs/ldapserver.pem
-keyout /usr/local/certs/ldapserver.pem
- The dialog with openssl should go something like this:
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Victoria
Locality Name (eg, city) []:Melbourne
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Org
Organizational Unit Name (eg, section) []: Org Unit
Common Name (eg, YOUR name) []:ldapserver.blah.com.au
Email Address []:youru...@blah.com.au
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#- Check that the basic details are all good
openssl x509 -subject -dates -fingerprint -noout -in
/usr/local/certs/ldapserver.pem
#- Set perms on sensitive files
#create 'certs' group and add ldap and www users:
pw groupadd certs
pw groupmod certs -M www ldap
chmod 0440 /usr/local/certs/ldapserver.pem
chgrp certs /usr/local/certs/ldapserver.pem
#- Configure slapd, the ldap server
mkdir /var/db/slapd
chown ldap:ldap /var/db/slapd
cp /usr/local/etc/openldap/DB_CONFIG.example /var/db/slapd/DB_CONFIG
cd /usr/local/etc/openldap
edit slapd.conf
- Make the file look like this
###
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/share/examples/samba/LDAP/samba.schema
loglevelconns filter stats
#loglevel none
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
defaultsearchbase dc=blah,dc=com,dc=au
password-hash {CRYPT}
password-crypt-salt-format $1$%.8s
security ssf=128
TLSCertificateFile /usr/local/certs/ldapserver.pem
TLSCertificateKeyFile
Re: Does anyone use nscd?
Lawrence Stewart lstew...@freebsd.org writes: If the machine running nscd loses connectivity with the DNS server for a while and does a DNS lookup during that time, nscd will cache the -ve reply indefinitely for all users, which breaks all sorts of crap. Have to forcibly run nscd -I all to fix. I will find and fix this bug one day if noone beats me to it... Definitely a bug, nscd is only supposed to cache negative responses for 60 seconds. I hope you find the time to track it down :) Is it 100% reproducable? How long does the DNS server have to be unreachable before it happens? I'd like to see it stay in base. Moving it (slowly) towards a point where we can turn it on by default would be cool. Agreed, in principle. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Daniel O'Connor docon...@gsoft.com.au writes: I'd be interested in testing your workaround(s) :) It wasn't a workaround, actually, just a one-line change that enables additional logging (when running with from the console -nst) which might help me figure out why it crashes. See my reply to Artem Belevich earlier in this thread. While we're at it, I'd be very grateful if someone could email me a quick and dirty guide to setting up an LDAP server for testing. I have too much on my plate right now to start reading documentation... DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 05/10/2011, at 19:13, Dag-Erling Smørgrav wrote: Daniel O'Connor docon...@gsoft.com.au writes: I'd be interested in testing your workaround(s) :) It wasn't a workaround, actually, just a one-line change that enables additional logging (when running with from the console -nst) which might help me figure out why it crashes. See my reply to Artem Belevich earlier in this thread. OK I'll dig it up.. While we're at it, I'd be very grateful if someone could email me a quick and dirty guide to setting up an LDAP server for testing. I have too much on my plate right now to start reading documentation… Hmm, most of the heavy lifting for me was done by the net/smbldap-tools port but it was still fiddly and it was a while ago. Hopefully an LDAP guru can offer more :( -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 05/10/2011 09:43, Dag-Erling Smørgrav wrote: While we're at it, I'd be very grateful if someone could email me a quick and dirty guide to setting up an LDAP server for testing. I have too much on my plate right now to start reading documentation... The Quick Start guide on the OpenLDAP site is pretty good: http://www.openldap.org/doc/admin24/quickstart.html although steps 1 -- 8 just boil down to 'install from ports' on FreeBSD. Notes: 1) Don't enable SASL -- it adds a lot of complexity but doesn't change anything fundamental in the way LDAP works for testing purposes. 2) The default schema include inetOrgPerson and Posix which is enough to deal with basic Unix users and groups. If you want to do anything more advanced (eg. sudo related or OpenSSH LPK patches) then you'll need to import some external schema. I recommend always copying the schema files into $PREFIX/etc/openldap/schema or else casually removing a port could prevent your slapd from restarting days or weeks later... 3) The structure of an LDAP tree is site-specific and can be quite different between different organizations, but in essence it consists of sorting and grouping various classes of objects into various subdirectories of your directory tree. For testing purposes, impose at least a minimal amount of structure. As the quick start guide suggests, use the dc=example,dc=com form based on your domain name to root your LDAP tree. Within that, create some sub-directories 'ou=Users', 'ou=Groups', 'ou=Hosts' for storing objects of the appropriate types. This should provide a reasonable parallel to what most people would use in production. 4) ACLs and permissions are pretty complex in LDAP. This is something where you are going to have to spend some quality time with the manuals I'm afraid. 5) phpldapadmin is a pretty good tool for populating a directory with test data. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Does anyone use nscd?
04.10.2011 22:47, Sean M. Collins пишет: I've never heard of the utility until you mentioned it. I'd nuke it, since really there are more popular alternatives like Redis and Memcached in the ports tree that most people will reach for first. Please look at http://www.freebsd.org/cgi/query-pr.cgi?pr=75855 before making final decision. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Wednesday 05 October 2011 10:46:47 Eugene Grosbein wrote: 04.10.2011 22:47, Sean M. Collins пишет: I've never heard of the utility until you mentioned it. I'd nuke it, since really there are more popular alternatives like Redis and Memcached in the ports tree that most people will reach for first. I had not used it before I saw this thread.. But now I am 8-) I kind of like it, actually.. Especially for DNS caching.. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
2011/10/4 Dag-Erling Smørgrav d...@des.no: Any chance of getting a backtrace from an unpatched nscd? Ideally with the change described here: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/136073#reply1 To test, stop nscd, then run it from the command line like so: $ su - # cd /tmp # ulimit -c 0 # /usr/sbin/nscd -nst (do something in another terminal that causes it to crash) # echo backtrace | gdb -batch -x /dev/stdin /usr/sbin/nscd nscd.core and send me the output from both nscd and gdb once it crashes. In my case it's top that dies with SIGPIPE. nscd keeps running just fine. So, there's no backtrace from nscd. top receives SIGPIPE after it tries to write to the socket with nscd on the other end. Apparently nscd closes connection on its end. Running ktrace on top I see that before the write to nscd socket, there's a read that returned 0 bytes. Here's top's backtrace. Alas I don't have libc with debug symbols handy: Program received signal SIGPIPE, Broken pipe. 0x000800abe8cc in write () from /lib/libc.so.7 (gdb) where #0 0x000800abe8cc in write () from /lib/libc.so.7 #1 0x000800aa3f44 in ftell () from /lib/libc.so.7 #2 0x000800aa415f in ftell () from /lib/libc.so.7 #3 0x000800aa2031 in __h_errno () from /lib/libc.so.7 #4 0x000800a98311 in nsdispatch () from /lib/libc.so.7 #5 0x000800a84d95 in getpwent_r () from /lib/libc.so.7 #6 0x000800a84911 in acl_get_brand_np () from /lib/libc.so.7 #7 0x00404f7b in machine_init (statics=0x7fffe770, do_unames=1 '\001') at /usr/srcdir/src.git/usr.bin/top/machine.c:258 #8 0x0040a9ab in main (argc=1, argv=0x7fffe8c8) at /usr/srcdir/src.git/usr.bin/top/../../contrib/top/top.c:464 --Artem ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
2011/10/5 Michael Bushkov bush...@freebsd.org: There are probably 2 things here: 1. There's some error in nsswitch-nscd communication protocol that causes nsswitch to write into the closed socket. This is not trivial to investigate and will require analyzing nscd and client process logs side by side (and possibly adding some more logging). 2. Consequences of the aforementioned problem can probably be corrected by using _setsockopt(..., SO_NOSIGPIPE) in __open_cached_connection() in nscachedcli.c (http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/nscachedcli.c?rev=1.3). I have no access to FreeBSD desktop at the moment - Artem, it would be cool if you can try the second solution. That's exactly what I did and it fixed the problem on the client side. I've posted the patch setting SO_NOSIGPIPE earlier in this thread: http://lists.freebsd.org/pipermail/freebsd-hackers/2011-October/036539.html --Artem ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
There are probably 2 things here: 1. There's some error in nsswitch-nscd communication protocol that causes nsswitch to write into the closed socket. This is not trivial to investigate and will require analyzing nscd and client process logs side by side (and possibly adding some more logging). 2. Consequences of the aforementioned problem can probably be corrected by using _setsockopt(..., SO_NOSIGPIPE) in __open_cached_connection() in nscachedcli.c (http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/net/nscachedcli.c?rev=1.3). I have no access to FreeBSD desktop at the moment - Artem, it would be cool if you can try the second solution. Cheers, Michael 2011/10/5 Artem Belevich a...@freebsd.org: 2011/10/4 Dag-Erling Smørgrav d...@des.no: Any chance of getting a backtrace from an unpatched nscd? Ideally with the change described here: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/136073#reply1 To test, stop nscd, then run it from the command line like so: $ su - # cd /tmp # ulimit -c 0 # /usr/sbin/nscd -nst (do something in another terminal that causes it to crash) # echo backtrace | gdb -batch -x /dev/stdin /usr/sbin/nscd nscd.core and send me the output from both nscd and gdb once it crashes. In my case it's top that dies with SIGPIPE. nscd keeps running just fine. So, there's no backtrace from nscd. top receives SIGPIPE after it tries to write to the socket with nscd on the other end. Apparently nscd closes connection on its end. Running ktrace on top I see that before the write to nscd socket, there's a read that returned 0 bytes. Here's top's backtrace. Alas I don't have libc with debug symbols handy: Program received signal SIGPIPE, Broken pipe. 0x000800abe8cc in write () from /lib/libc.so.7 (gdb) where #0 0x000800abe8cc in write () from /lib/libc.so.7 #1 0x000800aa3f44 in ftell () from /lib/libc.so.7 #2 0x000800aa415f in ftell () from /lib/libc.so.7 #3 0x000800aa2031 in __h_errno () from /lib/libc.so.7 #4 0x000800a98311 in nsdispatch () from /lib/libc.so.7 #5 0x000800a84d95 in getpwent_r () from /lib/libc.so.7 #6 0x000800a84911 in acl_get_brand_np () from /lib/libc.so.7 #7 0x00404f7b in machine_init (statics=0x7fffe770, do_unames=1 '\001') at /usr/srcdir/src.git/usr.bin/top/machine.c:258 #8 0x0040a9ab in main (argc=1, argv=0x7fffe8c8) at /usr/srcdir/src.git/usr.bin/top/../../contrib/top/top.c:464 --Artem ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Michael Bushkov bush...@freebsd.org writes: 2. Consequences of the aforementioned problem can probably be corrected by using _setsockopt(..., SO_NOSIGPIPE) in __open_cached_connection() in nscachedcli.c That sounds like a workaround rather than a fix... DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
2011/10/5 Dag-Erling Smørgrav d...@des.no: Michael Bushkov bush...@freebsd.org writes: 2. Consequences of the aforementioned problem can probably be corrected by using _setsockopt(..., SO_NOSIGPIPE) in __open_cached_connection() in nscachedcli.c That sounds like a workaround rather than a fix... Not necessarily. Using SO_NOSIGPIPE is a valid option when someone wants to see read/write on a closed socket fail and return -1 with errno=EPIPE. Quick grep in libc shows that resolver code in lib/libc/resolv/res_send.c also sets SO_NOSIGPIPE for exactly that reason. --Artem ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, 4 Oct 2011 18:51+0200, Dag-Erling Smørgrav wrote: Trond Endrestøl trond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. Not in my (somewhat limited) experience. Trond. -- -- Trond Endrestøl | trond.endres...@fagskolen.gjovik.no ACM, NAS, NUUG, SAGE, USENIX |FreeBSD 8.2-STABLE Alpine 2.00___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Wed, 5 Oct 2011 12:54+1030, Daniel O'Connor wrote: On 05/10/2011, at 2:30, Michel Talon wrote: Des wrote: Does anyone actually use nscd? I am using it since a lot of time. I have not experienced annoying bugs in all that time. The last time i have been hit is when installing some new softs which require adding some user and some group with pw. Of course this doesn't work well with caching these data, and i had completely forgotten i was using a cache. This is very perplexing. In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. I'm glad to see I'm not the only one who has noticed this odd behaviour of nscd. Shame on me for not speaking up sooner, but I feared I might be proved wrong (again), and yes, that's a lame excuse. :-/ If I am installing ports which create a new user or group I have to restart nscd. I also find if openldap dies (not infrequent) I have to restart nscd after restarting openldap.. After bulk loading ~250 students into our LDAP (Novell eDirectory) each fall, and deleting the graduated students, I restart nscd on our servers just to make sure the caches doesn't contain any negative results. Maybe I should set up a cron job to restart nscd once a day until the source code is cleaned up. Trond. -- -- Trond Endrestøl | trond.endres...@fagskolen.gjovik.no ACM, NAS, NUUG, SAGE, USENIX |FreeBSD 8.2-STABLE Alpine 2.00___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, 4 Oct 2011 17:20+0200, Dag-Erling Smørgrav wrote: Does anyone actually use nscd? It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. Trond. -- -- Trond Endrestøl | trond.endres...@fagskolen.gjovik.no ACM, NAS, NUUG, SAGE, USENIX |FreeBSD 8.2-STABLE Alpine 2.00___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 4 Oct 2011, at 17:00, Michel Talon wrote: Des wrote: Does anyone actually use nscd? I am using it since a lot of time. I have not experienced annoying bugs in all that time. The last time i have been hit is when installing some new softs which require adding some user and some group with pw. Of course this doesn't work well with caching these data, and i had completely forgotten i was using a cache. This is very perplexing. Same here. It just works. And you forget about it. But always beware that it caches - and that caching is not system wide - but per user. And I've seen a few cases where I suspect it serialises or otherwise blocks on barrages of DNS queries. But it is helpful - when the data needs to come from ldap or whereever. Dw. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
I've never heard of the utility until you mentioned it. I'd nuke it, since really there are more popular alternatives like Redis and Memcached in the ports tree that most people will reach for first. -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Trond Endrestøl trond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 10/4/11 9:51 AM, Dag-Erling Smørgrav wrote: Trond Endrestøltrond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. DES I had never heard of it until now but it looks as though I could have used it several times in the past. We should have people announce new features just like new committers. Hi, my name is nscd, I cache data that is accessed through the nsswitch system etc. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
2011/10/4 Dag-Erling Smørgrav d...@des.no: Trond Endrestøl trond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. I do use nscd at work where we have fairly large NIS database. And I do have a way to reproduce the SIGPIPE problem. Populate ~30K entries in NIS passwd database, enable nscd and then run top. In my case top used to die with SIGPIPE pretty reliably. I've fixed the issue locally by setting SO_NOSIGPIPE on the socket in __open_cached_connection() in lib/libc/net/nscachedcli.c and I've been running with the fix for few months now. --Artem diff --git a/lib/libc/net/nscachedcli.c b/lib/libc/net/nscachedcli.c index 1323805..cd941db 100644 --- a/lib/libc/net/nscachedcli.c +++ b/lib/libc/net/nscachedcli.c @@ -196,6 +196,7 @@ __open_cached_connection(struct cached_connection_params const *params) struct sockaddr_un client_address; int client_address_len, client_socket; int res; + int on = 1; assert(params != NULL); @@ -214,6 +215,8 @@ __open_cached_connection(struct cached_connection_params const *params) } _fcntl(client_socket, F_SETFL, O_NONBLOCK); + _setsockopt(client_socket, SOL_SOCKET, SO_NOSIGPIPE, (void *)on, sizeof(on)); + retval = malloc(sizeof(struct cached_connection_)); assert(retval != NULL); memset(retval, 0, sizeof(struct cached_connection_)); ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, Oct 4, 2011 at 8:47 AM, Sean M. Collins s...@coreitpro.com wrote: I've never heard of the utility until you mentioned it. I'd nuke it, since really there are more popular alternatives like Redis and Memcached in the ports tree that most people will reach for first. Fwiw, nscd serves a somewhat different purpose, at least on Linux. It caches name service switch backend lookups. I can't really imagine one replacing it with Redis or memcached; those tools would require a bunch of work to integrate them with the resolver code in libc/libresolv/whathaveyou. Jos -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org -- Jos Backus jos at catnook.com ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Hi, Disclaimer: I've written the nscd utility, so I can be a bit biased. On Tue, Oct 4, 2011 at 5:47 PM, Sean M. Collins s...@coreitpro.com wrote: I've never heard of the utility until you mentioned it. I'd nuke it, since really there are more popular alternatives like Redis and Memcached in the ports tree that most people will reach for first. I think you're mixing 2 different things there. nscd is integrated with nsswitch and allows you to cache different kinds of system data (groups, users, etc). IIRC utilities like memcached and redis lack this integration and I don't know any way of hooking them into nsswitch. They're actually just caching backends and you need additional code to make them work with nsswitch. Cheers, Michael -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Artem Belevich a...@freebsd.org writes: And I do have a way to reproduce the SIGPIPE problem. Populate ~30K entries in NIS passwd database, enable nscd and then run top. In my case top used to die with SIGPIPE pretty reliably. I've fixed the issue locally by setting SO_NOSIGPIPE on the socket in __open_cached_connection() in lib/libc/net/nscachedcli.c and I've been running with the fix for few months now. Any chance of getting a backtrace from an unpatched nscd? Ideally with the change described here: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/136073#reply1 To test, stop nscd, then run it from the command line like so: $ su - # cd /tmp # ulimit -c 0 # /usr/sbin/nscd -nst (do something in another terminal that causes it to crash) # echo backtrace | gdb -batch -x /dev/stdin /usr/sbin/nscd nscd.core and send me the output from both nscd and gdb once it crashes. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Oops - I latched on to the wrong parts of the manpage when I was reading and sent my first message. Thanks for pointing this out. However: How useful is the caching of users and groups? I still believe that for caching DNS, BIND or another DNS server running locally or on the same LAN is the common practice. -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Users/groups caching can be pretty much useful when you have large LDAP or NIS setup. -- Michael On Tue, Oct 4, 2011 at 7:56 PM, Sean M. Collins s...@coreitpro.com wrote: Oops - I latched on to the wrong parts of the manpage when I was reading and sent my first message. Thanks for pointing this out. However: How useful is the caching of users and groups? I still believe that for caching DNS, BIND or another DNS server running locally or on the same LAN is the common practice. -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 10/4/11 2:02 PM, Michael Bushkov wrote: Users/groups caching can be pretty much useful when you have large LDAP or NIS setup. Agreed, and forgive me for hammering you (I freely admit I don't have any significant contributions to FreeBSD) but it would be far more useful if it was cached machine-wide instead of per user, yes? I guess I'm just playing devil's advocate - none the less you have my respect. -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Using it since a few, almost without any problem.
Just one thing: while connected to some external intranet, nscd still try to
contact my LDAP.
So I made a few tests using sssd instead
but I'm quite disapointed: even being in my office, I often get the
'authenticated using cached credentials' message (after waiting for 10
seconds, of course... definitely shoud tune timeouts).
Why should one choose to use sssd over nscd?
Is someone actually using it?
Regards.
--
Samuel Martín Moro
{EPITECH.}
SMILE - Open Source Solutions
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, Oct 4, 2011 at 8:14 PM, Sean M. Collins s...@coreitpro.com wrote: On 10/4/11 2:02 PM, Michael Bushkov wrote: Users/groups caching can be pretty much useful when you have large LDAP or NIS setup. Agreed, and forgive me for hammering you (I freely admit I don't have any significant contributions to FreeBSD) but it would be far more useful if it was cached machine-wide instead of per user, yes? No problem ) Technically, yes, but machine-wide cache leads to a security issue - malicious user can poison the global cache with arbitrary data. Cheers, Michael I guess I'm just playing devil's advocate - none the less you have my respect. -- Sean M. Collins ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
Samuel Martín Moro faus...@gmail.com writes: Using it since a few, almost without any problem. Just one thing: while connected to some external intranet, nscd still try to contact my LDAP. Well, by default, nscd caches hits for an hour and misses for a minute. One could imagine an option to have nscd return the cached entry if it can't contact the server, even if it has technically expired, but the problem is that nscd doesn't know what the backend is and can't reliably tell whether the lookup failed because the server is unreachable or just because the entry does not exist; and even if it could, it would still have to query the backend every time, so you might still get a longish timeout for every lookup, depending on the type of backend and the reason it failed. DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 2011-10-04 19:02, Julian Elischer wrote: On 10/4/11 9:51 AM, Dag-Erling Smørgrav wrote: Trond Endrestøltrond.endres...@fagskolen.gjovik.no writes: It's in daily use at Gjøvik Technical College (Fagskolen i Gjøvik), here in Norway. Both the mail and web servers authenticates our users by LDAP, and nscd certainly speeds up the lookups. OK. No trouble with clients dying of SIGPIPE? I could never reproduce the bug, but both users who reported problems used ldap, and I don't have an LDAP server to test against, so I thought it might be specific to LDAP. I had never heard of it until now but it looks as though I could have used it several times in the past. We should have people announce new features just like new committers. Hi, my name is nscd, I cache data that is accessed through the nsswitch system etc. FYI: If you've ever used a Solaris box then you've used without knowing it. Solaris has used nscd by default the last 16 years - since Solaris 2.5 And yes it serverely speeds up nameservice lookups on large installations wheter it be plain files, NIS, NIS+, LDAP ot the like... /Uffe ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On Tue, Oct 4, 2011 at 9:00 AM, Michel Talon ta...@lpthe.jussieu.fr wrote: Des wrote: Does anyone actually use nscd? I am using it since a lot of time. I have not experienced annoying bugs in all that time. The last time i have been hit is when installing some new softs which require adding some user and some group with pw. Of course this doesn't work well with caching these data, and i had completely forgotten i was using a cache. This is very perplexing. It can also be problematic on Samba domain controllers, when adding new machines to the domain -- Samba creates an account for the new machine, then gets confused when a subsequent lookup of that account fails. -- David Brodbeck System Administrator, Linguistics University of Washington ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 05/10/2011, at 2:30, Michel Talon wrote: Des wrote: Does anyone actually use nscd? I am using it since a lot of time. I have not experienced annoying bugs in all that time. The last time i have been hit is when installing some new softs which require adding some user and some group with pw. Of course this doesn't work well with caching these data, and i had completely forgotten i was using a cache. This is very perplexing. In my experience ncsd seems to cache negative hits forever, regardless of the setting for negative-time-to-live. If I am installing ports which create a new user or group I have to restart nscd. I also find if openldap dies (not infrequent) I have to restart nscd after restarting openldap.. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 05/10/2011, at 1:50, Dag-Erling Smørgrav wrote: I ask because when I cleaned up a slew of aliasing bugs a couple of years ago, I believe I may have introduced a bug; I got exactly two complaints, and neither of the complainants could be bothered to try the workaround I suggested and report back. Although the code quality is atrocious, nscd is actually a pretty good idea. I suspect the reason why nobody uses it is that it's off by default and people simply don't know about it. Besides nuking it, which would be a shame, we have a range of options, from just fixing the bug so those who want to use it can in one end to finding someone willing to clean it up and maintain it and enable it by default in the other. (no, I'm not volunteering to maintain it) I'd be interested in testing your workaround(s) :) -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Does anyone use nscd?
On 10/05/11 02:20, Dag-Erling Smørgrav wrote: Does anyone actually use nscd? Yes, particularly for caching LDAP data. I ask because when I cleaned up a slew of aliasing bugs a couple of years ago, I believe I may have introduced a bug; I got exactly two complaints, and neither of the complainants could be bothered to try the workaround I suggested and report back. I haven't seen these bugs. There is a different bug we hit fairly regularly related to -ve caching. If the machine running nscd loses connectivity with the DNS server for a while and does a DNS lookup during that time, nscd will cache the -ve reply indefinitely for all users, which breaks all sorts of crap. Have to forcibly run nscd -I all to fix. I will find and fix this bug one day if noone beats me to it... Although the code quality is atrocious, nscd is actually a pretty good idea. I suspect the reason why nobody uses it is that it's off by default and people simply don't know about it. Besides nuking it, which would be a shame, we have a range of options, from just fixing the bug so those who want to use it can in one end to finding someone willing to clean it up and maintain it and enable it by default in the other. I'd like to see it stay in base. Moving it (slowly) towards a point where we can turn it on by default would be cool. Cheers, Lawrence ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
