We use nsscache because nscd is so unreliable. Nsscache is simple enough that it works, and it works pretty well. As Michael said, without it your system is sending LDAP queries for almost every operation that uses getpw/getuser.
We do not see random LDAP failures from other processes on our systems — but we see at least 50% of Puppet runs fail if they try to check/set ownership of a file to an ldap user. These failures go away completely when we do UID/GID only. (which is our work-around for now) —Matt On Nov 2, 2010, at 8:57 AM, Michael Gliwinski wrote: > On Tuesday 02 Nov 2010 12:44:38 Bruce Richardson wrote: >> On Tue, Nov 02, 2010 at 09:35:24AM +0000, Michael Gliwinski wrote: >>> On Tuesday 02 Nov 2010 01:53:34 Bruce Richardson wrote: >>>> nsscache is probably at fault. Try removing it from nsswitch on >>>> a machine which has shown this problem and then see how that affects >>>> things. >>> >>> Why do you think nsscache could be a problem? >> >> It and nscd often are. Better to ensure that your LDAP directory is >> resilient and responsive. Configure pam and nsswitch so that you can >> still get into a box as a non-LDAP user in the worst case scenario where >> LDAP is inaccessible. Caching the directory just causes a whole new >> special kind of latency issues while making problems harder to debug. > > Hmm, I know what you mean, but then without any caching this can mean quite a > load on the LDAP servers considering even simple 'ls -l' has to go over > network to resolve UIDs/GIDs. > > Anyway, do you happen to know of a good guide, howto, etc. for nss_ldap > configuration (specifically on CentOS with AD)? I'm thinking maybe client > configuration is at fault but haven't yet encountered a good guide that would > explain what is needed and why (e.g. many also mention winbind, not sure what > for, also one of our admins here was playing with Kerberos which seems isn't > needed and could be contributing to the issues). > > > -- > Michael Gliwinski > Henderson Group Information Services > 9-11 Hightown Avenue, Newtownabby, BT36 4RT > Phone: 028 9034 3319 > > ********************************************************************************************** > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee and access to the email by anyone > else is unauthorised. > If you are not the intended recipient, any disclosure, copying, distribution > or any action taken or omitted to be taken in reliance on it, is prohibited > and may be unlawful. > When addressed to our clients, any opinions or advice contained in this > e-mail are subject to the terms and conditions expressed in the governing > client engagement leter or contract. > If you have received this email in error please notify > [email protected] > > John Henderson (Holdings) Ltd > Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern > Ireland, BT36 4RT. > Registered in Northern Ireland > Registration Number NI010588 > Vat No.: 814 6399 12 > ********************************************************************************* > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
