[CentOS] LDAP / NSCD shadow caching problem
Brian Marshall
neorosbob at gmail.com
Thu Jul 15 20:39:13 UTC 2010
On Jul 15, 2010, at 2:27 PM, Alexander Dalloz wrote:
> Am 15.07.2010 22:16, schrieb Brian Marshall:
>> On Jul 15, 2010, at 2:12 PM, Alexander Dalloz wrote:
>>
>>> Am 15.07.2010 19:26, schrieb Brian Marshall:
>>>
>>>> Then am I misinterpreting the fact that getent shadow returns data on ldap users when ldap is up but not when it's down? I guess I don't understand where that shadow data comes from when LDAP is up.
>>>
>>> /etc/nsswitch.conf
>>>
>>> Alexander
>
>> Hi Alexander,
>>
>> Thanks for your response but /etc/nsswitch.conf does not contain any passwd, group or shadow data. It is a configuration file and is not used to cache or store data.
>
> Sure, but it that configuration file tells the nss where to look for
> requested information in which order. I.e. where to find shadow
> information. If you don't configure ldap there you won't get ldap
> results using your getent command.
>
> Alexander
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Yes but as I said in my previous messages I have configured all of that and yet, it still doesn't ever cache shadow data.
[root at argentine ~]# grep -v \# /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
So my original problem still remains. When LDAP is down users can not authenticate. I can't get nsscache to run because python can't find the library. I don't want to run sssd because it's new, untested in production and has a mankey set of Fedora specific dependencies that tie ionto PAM that I'm not willing to gamble on in a production environment.
But hey I have a Windows XP laptop that can use Directory Services and still can manage logging in users without a network. I also have a trashed old Apple laptop and Mac OS can use LDAP and still manages to login users without a network. I don't want to do it but I think I have to tell all of our IT staff they are going to have to get windows laptops instead of linux...which I will get lynched for.
More information about the CentOS
mailing list