Description of problem: In our environment we need to set some environment variables (Kerberos related) when launching nscd. Currently we hack them into /etc/init.d/nscd. Please add support for an /etc/sysconfig/nscd file so we can cleanly modify the environment for nscd in a maintainable and future proof way. How about the following patch to /etc/init.d/nscd ? --- nscd.org 2005-08-29 22:07:36.000000000 -0600 +++ nscd 2005-08-29 22:10:29.000000000 -0600 @@ -9,6 +9,7 @@ # slow naming services like NIS, NIS+, LDAP, or hesiod. # processname: /usr/sbin/nscd # config: /etc/nscd.conf +# config: /etc/sysconfig/nscd # ### BEGIN INIT INFO # Provides: nscd @@ -28,6 +29,8 @@ # Source function library. . /etc/init.d/functions +[ -f /etc/sysconfig/nscd ] && . /etc/sysconfig/nscd + # nscd does not run on any kernel lower than 2.2.0 because of threading # problems, so we require that in first place. case $(uname -r) in
Created attachment 118236 [details] patch to /etc/init.d/nscd to add /etc/sysconfig/nscd support
It would be great to get this change into RHEL4 as well. Should I open another bug??
I guess you should first explain what environment variables and why you specifically need them just for nscd, not for all programs. In that case NSS lookup would work differently if using and if not using nscd. I don't see how would that be a good thing.
Consider this configuration: nscd -----> nss_ldap ------(GSSAPI/Kerberos authenticated connection ---> LDAP The LDAP server only allows GSSAPI/Kerberos authenticated connections. To allow the OS and daemons to lookup users and groups via get*ent nscd needs to have access to a kerberos credentials cache. In /etc/ldap.conf, among other settings, has: use_sasl on sasl_auth_id nssldap/FQDN krb5_ccname FILE:/etc/.ldapcache The credendentials cache is kept current via a cron job. When nscd is started and using the nss_ldap library which in turn uses the kerberos libraries, it needs the following environment variable: KRB5CCNAME=/etc/.ldapcache This is my particular need. I'm sure there many are other uses out there as well. The simple patch just gives me the flexibility to modify my configuration for my environment in a clean (supports painless RPM upgrades) fashion that many many other SysV init scripts use on the system. This should be a no brainer.
Here is an updated patch that allows you to set NSCD_OPTIONS in /etc/sysconfig/nscd. This is useful if you want to set the number of threads that nscd uses. I can, of course, also use /etc/sysconfig/nscd to set environment variables if I need to. For example, in /etc/sysconfig/nscd NSCD_OPTIONS="-t 8" Here is the patch. --- nscd.org 2005-08-29 22:07:36.000000000 -0600 +++ nscd 2005-08-30 13:29:43.000000000 -0600 @@ -9,6 +9,7 @@ # slow naming services like NIS, NIS+, LDAP, or hesiod. # processname: /usr/sbin/nscd # config: /etc/nscd.conf +# config: /etc/sysconfig/nscd # ### BEGIN INIT INFO # Provides: nscd @@ -28,6 +29,9 @@ # Source function library. . /etc/init.d/functions +# Source an auxiliary options file if we have one, and pick up NSCD_OPTIONS. +[ -f /etc/sysconfig/nscd ] && . /etc/sysconfig/nscd + # nscd does not run on any kernel lower than 2.2.0 because of threading # problems, so we require that in first place. case $(uname -r) in @@ -57,7 +61,7 @@ # fi # done echo -n $"Starting $prog: " - daemon /usr/sbin/nscd $secure + daemon /usr/sbin/nscd $secure $NSCD_OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nscd
You still haven't explained why you can't export KRB5CCNAME=/etc/.ldapcache in /etc/profile.d/*.sh instead. If you just set the variable for nscd, the NSS lookup will not work if nscd is not working for whatever reason. /etc/init.d/nscd is marked as %config file, so you can edit it. I don't like the trend of making startup slower and slower all the time.
This goes back to the design of Kerberos, nss_ldap and the security model thereof. The Kerberos credential's cache is unique PER daemon or USER. Each daemon's or user's cache should only be accessible by that user or daemon. This is why the nss_ldap credentials cache has the following permissions/ownership: -rw------- 1 nscd nscd 555 Aug 31 10:57 /etc/.ldapcache You MUST not make this readable by other uids. Currently the caches are stored in files, in the future MIT kerberos and Heimdal will also support caches stored in the kernel (via the keyring support). In either case, the KRB5CCNAME will be used to specify where the cache is located. This is not unqiue to nscd, other daemons require a KRB5CCNAME set to their specific location as well. You say, "If you just set the variable for nscd, the NSS lookup will not work if nscd is not working for whatever reason." Yes. In a Kerberized LDAP with strong host (and user) authentication this is intentional. This is how the security model it is designed to work. This is not new. Modifying the OS supplied /etc/init.d/ scripts is not good practice. This leaves you vulnerable to missing security fixes and other important changes. It is not good practice, it is actively discouraged. It causes the creation of .rpmnew files and extra sysadmin work. It is not safe to programatically edit a script, while programatically editing sysconfig files is easy. The /etc/sysconfig/ design is THE answer to the historical mess of editing /etc/init.d scripts. It is a major benefit of the RH/Linux system administration. On a RHEL/Fedora box all of the following SysV init scripts use a /etc/syconfig/ file: amd, arpwatch, autofs, bgpd, bluetooth, cyrus-imapd, dc_client, dc_server, dhcp6s, dhcpd, dhcrelay, dund, exim, firstboot, functions, gpm, halt, hidd, httpd, irda, irqbalance, isdn, kudzu, ldap, named, netdump, netplugd, nfs, nfslock, ntpd, ospf6d, ospfd, pand, pcmcia, portmap, postgresql, radvd, rhnsd, ripd, ripngd, rpcgssd, rpcsvcgssd, saslauthd, sendmail, smartd, smb, spamassassin, squid, sshd, syslog, tux, vncserver, winbind, xinetd, yppasswdd, zebra It is inconsistent to treat nscd different. I don't thing anyone would argue that bootup speed trumps all other concerns (like consistency and maintainability). Besides nscd is NOT started by default.
Any response? BTW, I tested on a vanilla FC4 box. I modified /etc/init.d/nscd, then I ran "yum -y update". After it finished, it replaced my modified nscd SysV init script. Observe: [root@mybox init.d]# ls -al nscd* -rwxr-xr-x 1 root root 2640 Sep 2 16:30 nscd -rwxr-xr-x 1 root root 2228 Sep 2 13:46 nscd.rpmsave [root@mybox init.d]#
I would like to see this in RHEL3|4 as well. Dax you haven't submitted any bugs from RHEL about it as far as i can see right?