1

We have an SELinux client that authenticates network users using LDAP connecting to an Active Directory server. Since our machines have to operate "untethered," we have to use nscd to cache group and passwd info.

Here's the issue. If we change group information on the Active Directory server, then log in on the client, if a cache exists for that user, LDAP seems to ignore the server and only use the cached data. The only way we've been able to get an update is to invalidate the passwd cache.

Significant portion of /etc/nsswitch.conf:

    passwd: file ldap cache
    group:  file ldap cache
    shadow: file ldap cache

Thanks.

Update: Figured out running strace getent passwd that nscd cache gets checked before /etc/nsswitch.conf gets read, so the configuration of nss doesn't matter.

Update 2: Playing with nss_updatedb today to see if it will work. So far no joy, although this howto looks like exactly what we need to do.

GEOCHET
  • 21,119
  • 15
  • 74
  • 98
john146
  • 977
  • 2
  • 11
  • 15
  • I don't see the programming related question in there. – EBGreen Jan 12 '09 at 21:02
  • EBGreen, that can be said for every other question tagged SELinux, and probably many tagged nss, ldap and activedirectory as well. Configuration's part of the solution. – john146 Jan 12 '09 at 21:10
  • Fair enough. I still see configuration (especially enterprise level configuration such as AD and LDAP) as IT not programming related. Since it isn't my decision to make alone, no harm comes from my difference of opinion. – EBGreen Jan 12 '09 at 21:13

3 Answers3

1

You can easily flush nscd cache with following commands:

sudo nscd -i passwd
sudo nscd -i group

After flushing nscd cache with given commands you would see changed LDAP data.

For more details see: http://sysadmin-notepad.blogspot.rs/2013/05/how-to-flush-nscd-cache-in-linux.html

Nemanja Trifunovic
  • 3,017
  • 1
  • 17
  • 20
1

If you don't want to cache results from active directory then you need to either turn off nscd or set its cache life time to a few minutes (edit /etc/nscd.conf). I believe the default time to live is 10 minutes for passwd and and hour for group.

Patrick
  • 3,901
  • 1
  • 25
  • 30
  • Thanks for your reply. We need to cache the ldap lookup locally, but only use them when not connected to the ldap (Active Directory) server. If the user disconnects and heads out into the field, they need to be able to log in for up to a week or more. – john146 Jan 14 '09 at 22:16
  • If you have trouble nss_updatedb , try populating your /etc/passwd & groups with a nightly batch. Then change nsswitch.conf to reference them after LDAP. You need an Nss module that can fail over fast/ or have a process swap the order of ldap and files depending on if they are on the lan or away. – Patrick Jan 22 '09 at 18:47
0

We finally resolved this by using nss_updatedb to cache the group and passwd databases locally. We then turned off nscd.

We added the pam_exec module to the pam.d listing and use it to run nss_updatedb before authentication to make sure the local cache is up to date.

john146
  • 977
  • 2
  • 11
  • 15