FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-15-2010, 03:05 AM
Brian Marshall
 
Default LDAP / NSCD shadow caching problem

Hi All,
I have a post on the forums about this. I'm hoping maybe you guys can help me track down what I'm doing wrong.*
I am trying to get nscd to cache my LDAP user data. You know, for when the LDAP server goes down. The problem I am having is not related to the "bind_policy soft" issue that causes sshd to hand when LDAP is down. I have bind_policy set to soft and my sshd is very responsive and sends auth requests through PAM no problem. But when LDAP is down it fails to authenticate, it does not fail to ask me to authenticate. That being said I don't think my problem is a bug, I think I have configured something wrong and I'm just not seeing what.*
My config files can be referenced on my forum post*https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27153&forum=4 2
The problem I am having is that shadow does not seem to get cached by nscd. Here's how I have tracked this down.
Given the results of the following:
LDAP server UP
[root@xxxxxxxx ~]# getent passwd testertester:x:501:501:tester:/home/tester:/bin/bash[root@xxxxxxxx ~]# getent shadow testertester:Rx5ZXH414bqiM:14802:0:99999:7:::
LDAP server DOWN
[root@xxxxxxxx ~]# getent passwd testertester:x:501:501:tester:/home/tester:/bin/bash[root@xxxxxxxx ~]# getent shadow tester
So, when LDAP is down I can clearly see that nscd is caching passwd but not shadow.*
To test this I checked getent's output in strace for both circumstances. The result, I can clearly see in all 4 instances a connection to nscd's socket at /var/run/nscd/socket. Since I'm assuming getent exits on first match here's my conclusion on the behavior I see.
When getent is looking at passwd I see it look in /etc/passwd, then nscd and then exits because nscd returns a match on passwd. It doesn't matter if LDAP is up or down. As long as nscd's cache is not expired it looks there first and never calls out to the LDAP server.
When getent is looking at shadow I see it look in /etc/shadow, then nscd, then tries to connect to the LDAP server. It doesn't matter if the LDAP server is up or down, getent never get's a match from nscd. Even if I turn on the LDAP server, login successfully via ssh as an LDAP authed user and then run getent...still no entry for shadow in nscd.
So, to re-state in a different way. I can't find any bug that seems to be related to this, and as it's a basic LDAP/NSCD feature my only logical conclusion is that I am doing something wrong. Any help or any suggestions as to what else I can check would be greatly appreciated.
Thanks
Brian_____________________________________________ __
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 04:17 AM
JohnS
 
Default LDAP / NSCD shadow caching problem

On Wed, 2010-07-14 at 21:05 -0600, Brian Marshall wrote:

> So, when LDAP is down I can clearly see that nscd is caching passwd
> but not shadow.
---
""if getent shadow as root returns a shadow file with passwords, then
the PAM unix module can do authentication without using libpam-ldap""

So that may just be that you need libpam-ldap. So your problem maybe is
PAM?

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 10:43 AM
Stephen Harris
 
Default LDAP / NSCD shadow caching problem

On Wed, Jul 14, 2010 at 09:05:38PM -0600, Brian Marshall wrote:
> My config files can be referenced on my forum post https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27153&forum=4 2

Your /etc/nscd.conf is only configured to cache passwd/group/hosts. It's
not configured to cache shadow.

(I don't know if nscd _can_ be configured to cache shadow or not; never
tried)

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 10:58 AM
"Alexander Dalloz"
 
Default LDAP / NSCD shadow caching problem

> The problem I am having is that shadow does not seem to get cached by
> nscd. Here's how I have tracked this down.

NSCD not caching shadow user credentials is a fact. There is nothing wrong
with your configuration. NSCD just does not do what you seem to expect
from it. You can't make it what you like to.

If your LDAP server is gone, you will not be able to login. Run a replica
server to avoid a single point of failure.

> Brian

Alexander

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 11:13 AM
"Alexander Dalloz"
 
Default LDAP / NSCD shadow caching problem

> Your /etc/nscd.conf is only configured to cache passwd/group/hosts. It's
> not configured to cache shadow.
>
> (I don't know if nscd _can_ be configured to cache shadow or not; never
> tried)

> rgds
> Stephen

The nscd is a "name service caching daemon" and not an authentication
credentials cache.

man 8 nscd

"Nscd provides caching for accesses of the passwd(5), group(5), and
hosts(5) databases through standard libc interfaces, such as getpwnam(3),
getpwuid(3), getgrnam(3), getgrgid(3), gethostby-name(3), and others."

"Note that the shadow file is specifically not cached. getspnam(3)
calls remain uncached as a result."

Regards

Alexander



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 03:37 PM
Brian Marshall
 
Default LDAP / NSCD shadow caching problem

Yes but I have worked in many organizations that use directory services for authentication and my machines with them have always cached authentication data so I can login if I'm not online. I can't expect laptop users to always have a network connection. If Mac OS and Windows can manage to cache network authentication for offline use, I can't believe that linux does not have this capability.

Perhaps my wanting to cache my shadow data or use nscd for this purpose is not the correct way to achieve this. But the only other well discussed option I have found is nsscache which doesn't seem to work very well and their library doesn't seem to install on centos 5. Unfortunately I'm way to much of a hack C programmer to fix it, especially since they don't provide a configure file.

So, assuming maybe we put the conversation of nscd shadow caching aside and just talk about how to cache ldap data on a centos system so it can authenticate users in the absence of a network. Creating local passwd/group/shadow data is not an option.

Again, I can't stress this enough. I am convinced I am doing something wrong or going about this the wrong way. I'm just not understanding how to either fix the problem at hand or solve it another or proper way.

Any advice?

Thanks

Brian

On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:

>
>> The problem I am having is that shadow does not seem to get cached by
>> nscd. Here's how I have tracked this down.
>
> NSCD not caching shadow user credentials is a fact. There is nothing wrong
> with your configuration. NSCD just does not do what you seem to expect
> from it. You can't make it what you like to.
>
> If your LDAP server is gone, you will not be able to login. Run a replica
> server to avoid a single point of failure.
>
>> Brian
>
> Alexander
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 03:52 PM
Todd Denniston
 
Default LDAP / NSCD shadow caching problem

Brian Marshall wrote, On 07/15/2010 11:37 AM:
> Yes but I have worked in many organizations that use directory services for authentication and my machines with them have always cached authentication data so I can login if I'm not online. I can't expect laptop users to always have a network connection. If Mac OS and Windows can manage to cache network authentication for offline use, I can't believe that linux does not have this capability.
>
> Perhaps my wanting to cache my shadow data or use nscd for this purpose is not the correct way to achieve this. But the only other well discussed option I have found is nsscache which doesn't seem to work very well and their library doesn't seem to install on centos 5. Unfortunately I'm way to much of a hack C programmer to fix it, especially since they don't provide a configure file.
>
> So, assuming maybe we put the conversation of nscd shadow caching aside and just talk about how to cache ldap data on a centos system so it can authenticate users in the absence of a network. Creating local passwd/group/shadow data is not an option.
>
> Again, I can't stress this enough. I am convinced I am doing something wrong or going about this the wrong way. I'm just not understanding how to either fix the problem at hand or solve it another or proper way.
>
> Any advice?

authconfig -help

authconfig --enablecache --update

For some of the folks I work with, it works quite reliably, I on the other hand have had problems
_because_ it caches the info.


>
> Thanks
>
> Brian
>
> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>
>>> The problem I am having is that shadow does not seem to get cached by
>>> nscd. Here's how I have tracked this down.
>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>> with your configuration. NSCD just does not do what you seem to expect
>> from it. You can't make it what you like to.
>>
>> If your LDAP server is gone, you will not be able to login. Run a replica
>> server to avoid a single point of failure.
>>
>>> Brian
>> Alexander
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 04:15 PM
Brian Marshall
 
Default LDAP / NSCD shadow caching problem

Hi Todd,

Yes, I have already used authconfig to enable caching. If you have any questions about my configs I have a forum post with more details up there including the related ldap, and pam config files.
https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=27153&forum=4 2

The problem still remains, when the LDAP server is offline there is no shadow data cached so LDAP users can not authenticate on cached data despite caching and local auth sufficient being enabled in authconfig .

So am I missing a package, config or something else somewhere.?


On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:

> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>> Yes but I have worked in many organizations that use directory services for authentication and my machines with them have always cached authentication data so I can login if I'm not online. I can't expect laptop users to always have a network connection. If Mac OS and Windows can manage to cache network authentication for offline use, I can't believe that linux does not have this capability.
>>
>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is not the correct way to achieve this. But the only other well discussed option I have found is nsscache which doesn't seem to work very well and their library doesn't seem to install on centos 5. Unfortunately I'm way to much of a hack C programmer to fix it, especially since they don't provide a configure file.
>>
>> So, assuming maybe we put the conversation of nscd shadow caching aside and just talk about how to cache ldap data on a centos system so it can authenticate users in the absence of a network. Creating local passwd/group/shadow data is not an option.
>>
>> Again, I can't stress this enough. I am convinced I am doing something wrong or going about this the wrong way. I'm just not understanding how to either fix the problem at hand or solve it another or proper way.
>>
>> Any advice?
>
> authconfig -help
>
> authconfig --enablecache --update
>
> For some of the folks I work with, it works quite reliably, I on the other hand have had problems
> _because_ it caches the info.
>
>
>>
>> Thanks
>>
>> Brian
>>
>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>
>>>> The problem I am having is that shadow does not seem to get cached by
>>>> nscd. Here's how I have tracked this down.
>>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>>> with your configuration. NSCD just does not do what you seem to expect
>>> from it. You can't make it what you like to.
>>>
>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>> server to avoid a single point of failure.
>>>
>>>> Brian
>>> Alexander
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
> --
> Todd Denniston
> Crane Division, Naval Surface Warfare Center (NSWC Crane)
> Harnessing the Power of Technology for the Warfighter
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 05:03 PM
Brian Marshall
 
Default LDAP / NSCD shadow caching problem

It seems there are some bugs discussed around this.

http://sources.redhat.com/bugzilla/show_bug.cgi?id=2132
https://bugzilla.redhat.com/show_bug.cgi?id=488597
https://bugzilla.redhat.com/show_bug.cgi?id=599192


That being said, it does not seem like nscd is the way to solve this. Or at very least there are reported complaints about this issue that have not been addressed to date.

Has anyone out there found a good solution for caching network authentication data?


On Jul 15, 2010, at 9:52 AM, Todd Denniston wrote:

> Brian Marshall wrote, On 07/15/2010 11:37 AM:
>> Yes but I have worked in many organizations that use directory services for authentication and my machines with them have always cached authentication data so I can login if I'm not online. I can't expect laptop users to always have a network connection. If Mac OS and Windows can manage to cache network authentication for offline use, I can't believe that linux does not have this capability.
>>
>> Perhaps my wanting to cache my shadow data or use nscd for this purpose is not the correct way to achieve this. But the only other well discussed option I have found is nsscache which doesn't seem to work very well and their library doesn't seem to install on centos 5. Unfortunately I'm way to much of a hack C programmer to fix it, especially since they don't provide a configure file.
>>
>> So, assuming maybe we put the conversation of nscd shadow caching aside and just talk about how to cache ldap data on a centos system so it can authenticate users in the absence of a network. Creating local passwd/group/shadow data is not an option.
>>
>> Again, I can't stress this enough. I am convinced I am doing something wrong or going about this the wrong way. I'm just not understanding how to either fix the problem at hand or solve it another or proper way.
>>
>> Any advice?
>
> authconfig -help
>
> authconfig --enablecache --update
>
> For some of the folks I work with, it works quite reliably, I on the other hand have had problems
> _because_ it caches the info.
>
>
>>
>> Thanks
>>
>> Brian
>>
>> On Jul 15, 2010, at 4:58 AM, Alexander Dalloz wrote:
>>
>>>> The problem I am having is that shadow does not seem to get cached by
>>>> nscd. Here's how I have tracked this down.
>>> NSCD not caching shadow user credentials is a fact. There is nothing wrong
>>> with your configuration. NSCD just does not do what you seem to expect
>>> from it. You can't make it what you like to.
>>>
>>> If your LDAP server is gone, you will not be able to login. Run a replica
>>> server to avoid a single point of failure.
>>>
>>>> Brian
>>> Alexander
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
> --
> Todd Denniston
> Crane Division, Naval Surface Warfare Center (NSWC Crane)
> Harnessing the Power of Technology for the Warfighter
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-15-2010, 05:04 PM
Gordon Messmer
 
Default LDAP / NSCD shadow caching problem

On 07/15/2010 08:37 AM, Brian Marshall wrote:
> Yes but I have worked in many organizations that use directory
> services for authentication and my machines with them have always
> cached authentication data so I can login if I'm not online. I can't
> expect laptop users to always have a network connection. If Mac OS
> and Windows can manage to cache network authentication for offline
> use, I can't believe that linux does not have this capability.

Fedora does. It was introduced in Fedora 13, using sssd. The standard
tools should configure sssd rather than nscd.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org