On Wed, Nov 3, 2010 at 3:38 PM, Matt Wise <[email protected]> wrote: > We use nsscache because nscd is so unreliable. Nsscache is simple enough that > it works, and it works pretty well. As Michael said, without it your system > is sending LDAP queries for almost every operation that uses getpw/getuser. > > We do not see random LDAP failures from other processes on our systems — but > we see at least 50% of Puppet runs fail if they try to check/set ownership of > a file to an ldap user. These failures go away completely when we do UID/GID > only. (which is our work-around for now)
That does sound like you've found a bug, and I'm not particularly fond of this section of our codebase. Can you reproduce it with repeated applications of a standalone puppet manifest with a single resource? > > —Matt > > On Nov 2, 2010, at 8:57 AM, Michael Gliwinski wrote: > >> On Tuesday 02 Nov 2010 12:44:38 Bruce Richardson wrote: >>> On Tue, Nov 02, 2010 at 09:35:24AM +0000, Michael Gliwinski wrote: >>>> On Tuesday 02 Nov 2010 01:53:34 Bruce Richardson wrote: >>>>> nsscache is probably at fault. Try removing it from nsswitch on >>>>> a machine which has shown this problem and then see how that affects >>>>> things. >>>> >>>> Why do you think nsscache could be a problem? >>> >>> It and nscd often are. Better to ensure that your LDAP directory is >>> resilient and responsive. Configure pam and nsswitch so that you can >>> still get into a box as a non-LDAP user in the worst case scenario where >>> LDAP is inaccessible. Caching the directory just causes a whole new >>> special kind of latency issues while making problems harder to debug. >> >> Hmm, I know what you mean, but then without any caching this can mean quite a >> load on the LDAP servers considering even simple 'ls -l' has to go over >> network to resolve UIDs/GIDs. >> >> Anyway, do you happen to know of a good guide, howto, etc. for nss_ldap >> configuration (specifically on CentOS with AD)? I'm thinking maybe client >> configuration is at fault but haven't yet encountered a good guide that would >> explain what is needed and why (e.g. many also mention winbind, not sure what >> for, also one of our admins here was playing with Kerberos which seems isn't >> needed and could be contributing to the issues). >> >> >> -- >> Michael Gliwinski >> Henderson Group Information Services >> 9-11 Hightown Avenue, Newtownabby, BT36 4RT >> Phone: 028 9034 3319 >> >> ********************************************************************************************** >> The information in this email is confidential and may be legally privileged. >> It is intended solely for the addressee and access to the email by anyone >> else is unauthorised. >> If you are not the intended recipient, any disclosure, copying, distribution >> or any action taken or omitted to be taken in reliance on it, is prohibited >> and may be unlawful. >> When addressed to our clients, any opinions or advice contained in this >> e-mail are subject to the terms and conditions expressed in the governing >> client engagement leter or contract. >> If you have received this email in error please notify >> [email protected] >> >> John Henderson (Holdings) Ltd >> Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern >> Ireland, BT36 4RT. >> Registered in Northern Ireland >> Registration Number NI010588 >> Vat No.: 814 6399 12 >> ********************************************************************************* >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- Nigel Kersten - Puppet Labs - http://www.puppetlabs.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
