Description of problem: The nscd daemon fails to function when nsswitch.conf is configured to use ldap and /etc/ldap.conf contains the SASL options use_sasl on rootuse_sasl on (Account information stored in LDAP via RFC 2307.) What do I mean fails? If I run id <username> of a valid user id will return no such user. If I turn off nscd id returns the proper results. nss_ldap/nscd does contact the LDAP server but only opens and then closes a connection. No query, gssapi auth, just open and close. Version-Release number of selected component (if applicable): nscd-2.3.3-53 nss_ldap-220-3
First of all, nscd-2.3.3-53 is old, try something newer (e.g. 2.3.3-74 in rawhide). nscd has debug mode if you start it with /usr/sbin/nscd -d > /tmp/nscd.log
After more research I have discovered the source of the problem. With user information stored in LDAP accessed via the nss_ldap module there are two ways to use SASL authentication. (Kerberos in this case.) With the nscd daemon turned off, there is no caching but each user uses his own credintials to authenticate to the LDAP server. With nscd turned on root is doing the authentication and retrieval from the LDAP server wich requires a keytab and a system service ticket. I would like to be able to use the users' kerberos tickets and still have the caching nscd provides.
So just set up a system service ticket or stop caching.