Created attachment 118236 [details]
patch to /etc/init.d/nscd to add /etc/sysconfig/nscd support

It would be great to get this change into RHEL4 as well. Should I open another bug??

I guess you should first explain what environment variables and why you
specifically need them just for nscd, not for all programs.
In that case NSS lookup would work differently if using and if not using nscd.
I don't see how would that be a good thing.

Consider this configuration:

nscd -----> nss_ldap ------(GSSAPI/Kerberos authenticated connection ---> LDAP

The LDAP server only allows GSSAPI/Kerberos authenticated connections. To allow
the OS and daemons to lookup users and groups via get*ent nscd needs to have
access to a kerberos credentials cache.

In /etc/ldap.conf, among other settings, has:

use_sasl on
sasl_auth_id nssldap/FQDN
krb5_ccname FILE:/etc/.ldapcache

The credendentials cache is kept current via a cron job.

When nscd is started and using the nss_ldap library which in turn uses the
kerberos libraries, it needs the following environment variable:

KRB5CCNAME=/etc/.ldapcache

This is my particular need. I'm sure there many are other uses out there as well.

The simple patch just gives me the flexibility to modify my configuration for my
environment in a clean (supports painless RPM upgrades) fashion that many many
other SysV init scripts use on the system.

This should be a no brainer.

Here is an updated patch that allows you to set NSCD_OPTIONS in
/etc/sysconfig/nscd. This is useful if you want to set the number of threads
that nscd uses. I can, of course, also use /etc/sysconfig/nscd to set
environment variables if I need to.

For example, in /etc/sysconfig/nscd

NSCD_OPTIONS="-t 8"

Here is the patch.

--- nscd.org    2005-08-29 22:07:36.000000000 -0600
+++ nscd        2005-08-30 13:29:43.000000000 -0600
@@ -9,6 +9,7 @@
 #              slow naming services like NIS, NIS+, LDAP, or hesiod.
 # processname: /usr/sbin/nscd
 # config: /etc/nscd.conf
+# config: /etc/sysconfig/nscd
 #
 ### BEGIN INIT INFO
 # Provides: nscd
@@ -28,6 +29,9 @@
 # Source function library.
 . /etc/init.d/functions

+# Source an auxiliary options file if we have one, and pick up NSCD_OPTIONS.
+[ -f /etc/sysconfig/nscd ] && . /etc/sysconfig/nscd
+
 # nscd does not run on any kernel lower than 2.2.0 because of threading
 # problems, so we require that in first place.
 case $(uname -r) in
@@ -57,7 +61,7 @@
 #      fi
 #   done
     echo -n $"Starting $prog: "
-    daemon /usr/sbin/nscd $secure
+    daemon /usr/sbin/nscd $secure $NSCD_OPTIONS
     RETVAL=$?
     echo
     [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nscd

You still haven't explained why you can't
export KRB5CCNAME=/etc/.ldapcache
in /etc/profile.d/*.sh instead.  If you just set the variable for nscd, the
NSS lookup will not work if nscd is not working for whatever reason.

/etc/init.d/nscd is marked as %config file, so you can edit it.  I don't like
the trend of making startup slower and slower all the time.

This goes back to the design of Kerberos, nss_ldap and the security model
thereof. The Kerberos credential's cache is unique PER daemon or USER. Each
daemon's or user's cache should only be accessible by that user or daemon. This
is why the nss_ldap credentials cache has the following permissions/ownership:

-rw-------  1 nscd nscd 555 Aug 31 10:57 /etc/.ldapcache

You MUST not make this readable by other uids.

Currently the caches are stored in files, in the future MIT kerberos and Heimdal
will also support caches stored in the kernel (via the keyring support). In
either case, the KRB5CCNAME will be used to specify where the cache is located. 

This is not unqiue to nscd, other daemons require a KRB5CCNAME set to their
specific location as well.

You say, "If you just set the variable for nscd, the NSS lookup will not work if
nscd is not working for whatever reason."

Yes. In a Kerberized LDAP with strong host (and user) authentication this is
intentional. This is how the security model it is designed to work. This is not new.

Modifying the OS supplied /etc/init.d/ scripts is not good practice. This leaves
you vulnerable to missing security fixes and other important changes. It is not
good practice, it is actively discouraged. It causes the creation of .rpmnew
files and extra sysadmin work. It is not safe to programatically edit a script,
while programatically editing sysconfig files is easy.

The /etc/sysconfig/ design is THE answer to the historical mess of editing
/etc/init.d scripts. It is a major benefit of the RH/Linux system administration.

On a RHEL/Fedora box all of the following SysV init scripts use a /etc/syconfig/
file: 

amd, arpwatch, autofs, bgpd, bluetooth, cyrus-imapd, dc_client, dc_server,
dhcp6s, dhcpd, dhcrelay, dund, exim, firstboot, functions, gpm, halt, hidd,
httpd, irda, irqbalance, isdn, kudzu, ldap, named, netdump, netplugd, nfs,
nfslock, ntpd, ospf6d, ospfd, pand, pcmcia, portmap, postgresql, radvd, rhnsd,
ripd, ripngd, rpcgssd, rpcsvcgssd, saslauthd, sendmail, smartd, smb,
spamassassin, squid, sshd, syslog, tux, vncserver, winbind, xinetd, yppasswdd, zebra

It is inconsistent to treat nscd different.

I don't thing anyone would argue that bootup speed trumps all other concerns
(like consistency and maintainability). Besides nscd is NOT started by default.

Any response?

BTW, I tested on a vanilla FC4 box.  I modified /etc/init.d/nscd, then I ran
"yum -y update".

After it finished, it replaced my modified nscd SysV init script. Observe:

[root@mybox init.d]# ls -al nscd*
-rwxr-xr-x  1 root root 2640 Sep  2 16:30 nscd
-rwxr-xr-x  1 root root 2228 Sep  2 13:46 nscd.rpmsave
[root@mybox init.d]#

I would like to see this in RHEL3|4 as well. Dax you haven't submitted any bugs
from RHEL about it as far as i can see right?