Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20201102145017.GS534@brightrain.aerifal.cx>
Date: Mon, 2 Nov 2020 09:50:18 -0500
From: Rich Felker <dalias@...c.org>
To: Florian Weimer <fweimer@...hat.com>
Cc: Jesse Hathaway <jesse@...ki-mvuki.org>, musl@...ts.openwall.com,
	Arjun Shankar <arjun@...hat.com>,
	Carlos O'Donell <carlos@...hat.com>
Subject: Re: Plans to remove nscd in Fedora

On Mon, Nov 02, 2020 at 02:54:31PM +0100, Florian Weimer wrote:
> * Rich Felker:
> 
> > It's not mandatory on glibc, but it's a widely deployed existing
> > interface on most "big" systems, and it's easy to add with a quick
> > apt-get or whatever on others if you find you need it for integration
> > with non-glibc binaries.
> 
> This has not been true for quite a few years because using nscd along
> with sssd for the same databases is not supported (sssd is where all the
> domain integration work happens these days):
> 
> <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/usingnscd-sssd>
> 
> SUSE also recommends disabling parts of nscd:
> 
> | -  Modify  /etc/nscd.conf
> | 
> | enable-cache   passwd    no
> | enable-cache   group      no
> 
> <https://www.suse.com/support/kb/doc/?id=000019039>
> 
> I think SUSE has largely switched to SSSD as well for the most recent
> product releases, but I do not have much insight into their work
> unfortunately.
> 
> > If it remains easy to add, having it not installed by default is
> > really not a big deal,
> 
> (we have been in this situation for many, many years)
> 
> > but I kinda worry about bitrot/breakage from suddenly having far fewer
> > users.
> 
> nscd is already very broken and has issues with workloads that trigger
> many cache misses.

Thanks for filling me in on the status of this. Perhaps
https://github.com/pikhq/musl-nscd (not part of musl, but by a
long-time contributor) would be a useful basis for building a
replacement glibc systems could use too?

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.