F18 users unable to log in due to cached nsswitch.conf
Simo Sorce
simo at redhat.com
Wed Oct 17 17:02:43 UTC 2012
On Wed, 2012-10-17 at 18:29 +0200, Stef Walter wrote:
> On 10/17/2012 06:21 PM, Miloslav Trmač wrote:
> > That's rather far from actually fixing the problem. Can we get it
> > fixed_first_? It seems that we could drop the glibc caching,
>
> Obviously dropping the caching would be pretty nasty. Having to dlopen
> the modules each time you do a getpwnam() (or friends) isn't cool.
>
> I assume you mean fstating the file on each lookup? I'm not against
> this, and I can try and propose this to glibc, but I'm pretty sure
> what's going to happen. See similar /etc/resolv.conf discussions.
This would kill perf. which is why it is not done.
> > or by
> > modify authconfig to instruct the user to reboot after changing
> > /etc/nsswitch.conf .
>
> That's *really* ugly, and prevents tools (like ipa-client-install or
> realmd) from completing an initialization in one shot. They would have
> to be split into two parts, with a reboot in between. :S
Yeah, extremely painful and unnecessary, please let's avoid this.
> > I'm not opposed to changing the default nsswitch.conf to avoid that
> > reboot (well, I think it's ugly to refer to a non-installed module,
> > but that's an aesthetic, not a principal thing) and to improve the
> > user experience in the default case, but we do need to have some way
> > to fix the underlying problem, a better way than just giving up and
> > conceding that nsswitch.conf can't be edited from now on.
>
> We are working on it and I linked to that bug in my report. Ray Strode
> and I are working on patches to glibc.
>
> http://sourceware.org/bugzilla/show_bug.cgi?id=12459
>
> Obviously, if you have another idea of how to fix this other than the
> above, this would be a great place to put it forward.
Long term I thin I can add support for the nscd protocol to sssd, it
does work around this issue, but has other drawbacks which is why we
haven;t done it so far.
Stef can you open a ticket so we discuss and consider whether to do it ?
This will take time however, in the meanwhile it would be really nice if
we could do it the simple way by just adding sss by default until a
better solution is found.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list