903648 – NSCD warning is irritating

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 903648 - NSCD warning is irritating

Summary: NSCD warning is irritating

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-24 13:37 UTC by Dmitri Pal
Modified:	2020-05-02 17:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.10.0-10.el7.beta2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:01:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2827	0	None	closed	NSCD warning is irritating	2020-05-02 17:15:25 UTC

Description Dmitri Pal 2013-01-24 13:37:25 UTC

When running nscd && sssd, nscd needs to be configured to not conflict with overlapping services, however even if configured correctly, warning messages show up in logs. We need to remove these warnings if sssd is configured correctly.

Comment 3 Dmitri Pal 2013-01-24 13:42:44 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1785

Comment 4 Jakub Hrozek 2013-10-04 13:24:24 UTC

Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 6 Amith 2013-12-10 12:38:02 UTC

Verified the bug on SSSD Version: sssd-1.11.2-10.el7.x86_64

Steps followed during verification:
1. Setup nscd.conf with default overlapping services and start nscd.
2. Setup sssd.conf correctly and start it as well.
3. Monitor /var/log/messages file. Following warning appears:

Dec 10 17:53:37 rhel-7 systemd: Starting System Security Services Daemon...
Dec 10 17:53:37 rhel-7 sssd: NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these.
Dec 10 17:53:37 rhel-7 sssd: Starting up
Dec 10 17:53:39 rhel-7 sssd[be[LDAP]]: Starting up
Dec 10 17:53:39 rhel-7 sssd[pam]: Starting up
Dec 10 17:53:39 rhel-7 sssd[nss]: Starting up

4. Stop both sssd and nscd service.
5. Now configure nscd.conf correctly by commenting out overlapping services.
6. Start nscd service first and then start sssd service.
7. Monitor syslog messages. 

The warning message disappears as expected.

Comment 7 Ludek Smid 2014-06-13 12:01:17 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 9 RobbieTheK 2019-06-14 14:28:47 UTC

Let me know if this should be a new bug. We use NIS and disable sssd:
systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

However we still get this several times a day:
Daemon: NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these 

Here's the /etc/nscd.conf:

  enable-cache            passwd          yes
        positive-time-to-live   passwd          600
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           yes
        positive-time-to-live   hosts           3600
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

        enable-cache            services        yes
        positive-time-to-live   services        28800
        negative-time-to-live   services        20
        suggested-size          services        211
        check-files             services        yes
        persistent              services        yes
        shared                  services        yes
        max-db-size             services        33554432

Comment 10 Jakub Hrozek 2019-06-14 19:49:56 UTC

Where do you get the warning from if sssd is disabled?

Comment 11 RobbieTheK 2019-06-14 19:56:12 UTC

(In reply to Jakub Hrozek from comment #10)
> Where do you get the warning from if sssd is disabled?
It just happens randomly can't reproduce it, could it be related to NIS, ypbind?

Comment 12 RobbieTheK 2019-06-18 15:41:36 UTC

(In reply to Jakub Hrozek from comment #10)
> Where do you get the warning from if sssd is disabled?

Perhaps this is a clue?
Jun 17 16:32:42 ourserver ypbind[20820]: 20822: Ping active servers for all domains.
Jun 17 16:32:55 ourserver sssd[kcm][30684]: Shutting down
Jun 17 16:32:59 ourserver systemd[1]: Starting SSSD Kerberos Cache Manager...
Jun 17 16:32:59 ourserver sssd[30091]: NSCD socket was detected and seems to be configured to cache some of the databases controlled by SSSD [passwd,group,netgroup,services]. It is recommended not to run NSCD in parallel with SSSD, unless NSCD is configured not to cache these.
Jun 17 16:32:59 ourserver systemd[1]: Started SSSD Kerberos Cache Manager.

Comment 13 Jakub Hrozek 2019-06-18 18:01:51 UTC

(In reply to RobbieTheK from comment #12)
> (In reply to Jakub Hrozek from comment #10)
> > Where do you get the warning from if sssd is disabled?
> 
> Perhaps this is a clue?
> Jun 17 16:32:42 ourserver ypbind[20820]: 20822: Ping active servers for all
> domains.
> Jun 17 16:32:55 ourserver sssd[kcm][30684]: Shutting down
> Jun 17 16:32:59 ourserver systemd[1]: Starting SSSD Kerberos Cache Manager...
> Jun 17 16:32:59 ourserver sssd[30091]: NSCD socket was detected and seems to
> be configured to cache some of the databases controlled by SSSD
> [passwd,group,netgroup,services]. It is recommended not to run NSCD in
> parallel with SSSD, unless NSCD is configured not to cache these.
> Jun 17 16:32:59 ourserver systemd[1]: Started SSSD Kerberos Cache Manager.

Ah, OK this makes sense. I didn't think about KCM because this bug was opened against RHEL-7 so I had this RHEL-7 tunnel vision. I reckon you are running RHEL-8 or some modern Fedora, then? If yes, then this is a small bug. KCM on startup regenerates its configuration database with the help of the main sssd binary (sssd --genconf --only-section=kcm or something like this) which incidentally also runs the nscd check.

Comment 14 RobbieTheK 2019-06-18 18:08:51 UTC

(In reply to Jakub Hrozek from comment #13)
> (In reply to RobbieTheK from comment #12)
> > (In reply to Jakub Hrozek from comment #10)
> > > Where do you get the warning from if sssd is disabled?
> > 
> > Perhaps this is a clue?
> > Jun 17 16:32:42 ourserver ypbind[20820]: 20822: Ping active servers for all
> > domains.
> > Jun 17 16:32:55 ourserver sssd[kcm][30684]: Shutting down
> > Jun 17 16:32:59 ourserver systemd[1]: Starting SSSD Kerberos Cache Manager...
> > Jun 17 16:32:59 ourserver sssd[30091]: NSCD socket was detected and seems to
> > be configured to cache some of the databases controlled by SSSD
> > [passwd,group,netgroup,services]. It is recommended not to run NSCD in
> > parallel with SSSD, unless NSCD is configured not to cache these.
> > Jun 17 16:32:59 ourserver systemd[1]: Started SSSD Kerberos Cache Manager.
> 
> Ah, OK this makes sense. I didn't think about KCM because this bug was
> opened against RHEL-7 so I had this RHEL-7 tunnel vision. I reckon you are
> running RHEL-8 or some modern Fedora, then? If yes, then this is a small
> bug. KCM on startup regenerates its configuration database with the help of
> the main sssd binary (sssd --genconf --only-section=kcm or something like
> this) which incidentally also runs the nscd check.

Yes Fedora 29. Should I open a new bug?

Comment 15 Jakub Hrozek 2019-06-18 18:54:45 UTC

(In reply to RobbieTheK from comment #14)
> (In reply to Jakub Hrozek from comment #13)
> > (In reply to RobbieTheK from comment #12)
> > > (In reply to Jakub Hrozek from comment #10)
> > > > Where do you get the warning from if sssd is disabled?
> > > 
> > > Perhaps this is a clue?
> > > Jun 17 16:32:42 ourserver ypbind[20820]: 20822: Ping active servers for all
> > > domains.
> > > Jun 17 16:32:55 ourserver sssd[kcm][30684]: Shutting down
> > > Jun 17 16:32:59 ourserver systemd[1]: Starting SSSD Kerberos Cache Manager...
> > > Jun 17 16:32:59 ourserver sssd[30091]: NSCD socket was detected and seems to
> > > be configured to cache some of the databases controlled by SSSD
> > > [passwd,group,netgroup,services]. It is recommended not to run NSCD in
> > > parallel with SSSD, unless NSCD is configured not to cache these.
> > > Jun 17 16:32:59 ourserver systemd[1]: Started SSSD Kerberos Cache Manager.
> > 
> > Ah, OK this makes sense. I didn't think about KCM because this bug was
> > opened against RHEL-7 so I had this RHEL-7 tunnel vision. I reckon you are
> > running RHEL-8 or some modern Fedora, then? If yes, then this is a small
> > bug. KCM on startup regenerates its configuration database with the help of
> > the main sssd binary (sssd --genconf --only-section=kcm or something like
> > this) which incidentally also runs the nscd check.
> 
> Yes Fedora 29. Should I open a new bug?

I can do that if you don't mind, I hope I know all the details. I'll CC you to this bug report.

Note You need to log in before you can comment on or make changes to this bug.