Bug 1488370

Summary: nscd: Add a comment to the default nscd.conf file that is it not recommended to use NSCD and SSSD for the same NSS maps
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: glibcAssignee: Carlos O'Donell <codonell>
Status: CLOSED ERRATA QA Contact: qe-baseos-tools-bugs
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.4CC: ashankar, codonell, fweimer, jhrozek, knweiss, mcermak, mnewsome, pfrankli, skolosov
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glibc-2.17-286.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1747505 (view as bug list) Environment:
Last Closed: 2019-08-06 12:48:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1643040, 1747505    

Description Jakub Hrozek 2017-09-05 08:38:31 UTC
Description of problem:
It is still not clear to all users that running nscd and sssd at the same time for the same maps might not be the best idea because then there are two caching stacks that compete with each other.

Even though sssd already warns to syslog when it detects that nscd is running and the maps that nscd caches are the same that sssd caches, perhaps it would also help if nscd.conf had a comment telling something along those lines as well

Other ideas are welcome as well.

Comment 5 Florian Weimer 2018-04-04 15:41:58 UTC
(In reply to Jakub Hrozek from comment #0)
> Description of problem:
> It is still not clear to all users that running nscd and sssd at the same
> time for the same maps might not be the best idea because then there are two
> caching stacks that compete with each other.
> 
> Even though sssd already warns to syslog when it detects that nscd is
> running and the maps that nscd caches are the same that sssd caches, perhaps
> it would also help if nscd.conf had a comment telling something along those
> lines as well

Do you mean nsswitch.conf?  I'm not sure if a warning makes sense in nscd.conf.  The sss module is only listed in nsswitch.conf.

Comment 8 Karsten Weiss 2019-01-22 10:09:32 UTC
I assume he means this: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/system-level_authentication_guide/#usingnscd-sssd

I agree that mentioning this in /etc/nscd.conf is a good idea.

Talking about warnings: It might be also a good idea to mention the fact the "shared yes" disables the "cache hit rate" stats output of "nscd -g" (it'll show "0%").

Comment 9 Carlos O'Donell 2019-02-07 22:19:45 UTC
Posted patches for Rawhide:
https://lists.fedoraproject.org/archives/list/glibc@lists.fedoraproject.org/thread/A656JPF5MT6YNRPDCCJ4H4TTAF6YRXXQ/

I added the following warning:

++# WARNING: Running nscd with a secondary caching service like sssd may lead to
++#          unexpected behaviour, especially with how long entries are cached.

to both nscd.conf and nsswitch.conf.

I also added the following note to nscd.conf:

+ #	shared			<service> <yes|no>
++#	NOTE: Setting 'shared' to a value of 'yes' will accelerate the lookup
++#	      with the help of the client, but these lookups will not be
++#	      counted as cache hits i.e. 'nscd -g' may show '0%'.
++#

I think that covers all suggestions in this issue.

Comment 10 Jakub Hrozek 2019-02-08 08:14:17 UTC
Looks good, thank you very much.

Comment 16 errata-xmlrpc 2019-08-06 12:48:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2118