[Bug 772944] New: SP2: Problem with sssd config
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944 https://bugzilla.novell.com/show_bug.cgi?id=772944#c0 Summary: SP2: Problem with sssd config Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: SLES 11 Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gjn@gjn.priv.at QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Hello, I installed a SLES 11 SP2 and tested the new sssd function and found only questions ;). 1: When I select sssd in YaST2, afterward I have warnings for nscd for caching passwd and group (?), this is enabled in nscd config after starting sssd, but should be disabled (?) like Documentation. Or have sssd now the functionality to replace nscd full (?) but nscd is not stopped? 2: when I disable the sssd function in YaST2 the program is not disabled in the Runlevel? I have to stop this manual, I can't say is the config correct disabled (reverted). Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c1
Günther J. Niederwimmer
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c2
kk zhang
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c3
Günther J. Niederwimmer
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c
kk zhang
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c
Thomas Göttlicher
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c4
Jiří Suchomel
1: When I select sssd in YaST2, afterward I have warnings for nscd for caching passwd and group (?), this is enabled in nscd config after starting sssd, but should be disabled (?) like Documentation.
Where did you select sssd? In LDAP module? Or in Kerberos? To what part of documentation are you referring, could you post a link? Which warnings do you mean, could you attach the screenshot?
2: when I disable the sssd function in YaST2 the program is not disabled in the Runlevel? I have to stop this manual, I can't say is the config correct disabled (reverted).
Again, where did you disable it: in Runlevel module? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c5
Günther J. Niederwimmer
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c6
Jiří Suchomel
I select sssd in the YaST Ldap Client Module
The warning is in the /log/messages and on Redhat sssd docu
Ralf, could you comment about this part?
I have to disable the sssd in the Runlevel Editor after deselect sssd in Yast2
OK, this is another bug, that sssd is not stopped and disabled when deselected in YaST LDAP Client. Ralf, can I safely stop it in such case? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c7
Jakub Hrozek
Hello,
I installed a SLES 11 SP2 and tested the new sssd function and found only questions ;).
1: When I select sssd in YaST2, afterward I have warnings for nscd for caching passwd and group (?), this is enabled in nscd config after starting sssd, but should be disabled (?) like Documentation.
In the SSSD upstream, we advise against enabling nscd for those NSS maps where the SSSD is used. The reasoning is that the SSSD provides its own caching mechanism and nscd's caching might clash with SSSD's One of the caching features that the SSSD has and the nscd does not have is that the initgroups() operation is always performed against the remote server during authentication, but can be returned from cache otherwise. This results in group memberships being always accurately reflected during login.
Or have sssd now the functionality to replace nscd full (?) but nscd is not stopped?
Not yet (and probably not for quite some time). The SSSD currently provides support for these NSS maps: * passwd * group * netgroup * services Other maps such as protocol or hosts are not implemented. If you need caching for these maps, then I would recommend only enabling nscd for the maps you are using but the SSSD is not providing. Speed-wise, nscd was quite faster than SSSD, however, the upcoming SSSD 1.9.0 release is going to include a new "fast memory cache" that is going to improve the cache performance significantly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c8
--- Comment #8 from Jakub Hrozek
(In reply to comment #5)
I select sssd in the YaST Ldap Client Module
The warning is in the /log/messages and on Redhat sssd docu
Ralf, could you comment about this part?
The SSSD checks for the presence of the nscd socket during startup and issues to following warning to syslog if the socket is found: sss_log(SSS_LOG_NOTICE, "nscd socket was detected. Nscd caching capabilities " "may conflict with SSSD for users and groups. It is " "recommended not to run nscd in parallel with SSSD, unless " "nscd is configured not to cache the passwd, group and " "netgroup nsswitch maps."); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c9
Ralf Haferkamp
(In reply to comment #5)
I select sssd in the YaST Ldap Client Module
The warning is in the /log/messages and on Redhat sssd docu
Ralf, could you comment about this part? Jakub's comment pretty much summarize the issue I guess. Thanks for that Jakub! I guess we should consider disabling nscd caching for the relevant maps in yast ldap-client when sssd is used. (Do we have code to touch nscd.conf in YaST already?)
I have to disable the sssd in the Runlevel Editor after deselect sssd in Yast2
OK, this is another bug, that sssd is not stopped and disabled when deselected in YaST LDAP Client. Ralf, can I safely stop it in such case? I think so, yes. (At least after nsswitch.conf was updated.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c15
Jiří Suchomel
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944 https://bugzilla.novell.com/show_bug.cgi?id=772944#c16 --- Comment #16 from Ralf Haferkamp2012-10-09 15:51:10 CEST --- (In reply to comment #15) > So, the task for openSUSE 12.3 is: > > > When sssd is activated: > > - "enable-cache" setting in nscd.conf to "no" for "passwd" and "group". > > When sssd (= actually ldap-client configuration) is disabled, > > - stop and disable sssd service - "enable-cache" setting in nscd.conf to "yes" for "passwd" and "group"? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c17
Jiří Suchomel
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c18
--- Comment #18 from Bernhard Wiedemann
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=772944
https://bugzilla.novell.com/show_bug.cgi?id=772944#c19
Ralf Haferkamp
participants (1)
-
bugzilla_noreply@novell.com