using nscd (ldap) makes passwd/group disappearing while installing ports

O. Hartmann ohartman at
Wed Feb 1 08:55:35 UTC 2012

On 02/01/12 01:03, Benjamin Lee wrote:
> On 01/31/2012 03:03 PM, O. Hartmann wrote:
>> I'm using on a couple of servers the nameservice cache dameon nscd and
>> cache "group", "passwd" and "sudoers". Backend is LDAP, but local files
>> should searched first. then ldap. cache is searched the very first even
>> before files.
>> Well, I'd expect that if a group is present, like "cups" or "dhcp" and
>> reside in the local file (/etc/group or /etc/passwd), they are cached.
>> Installing net/isc-dhcp42-server fails with this error:
>> gmake[1]: Leaving directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2/server'
>> gmake[1]: Entering directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2'
>> gmake[1]: Nothing to be done for `all-am'.
>> gmake[1]: Leaving directory
>> `/usr/ports/net/isc-dhcp42-server/work/dhcp-4.2.3-P2'
>> ===>  Installing for isc-dhcp42-server-4.2.3_2
>> ===>   Generating temporary packing list
>> ===> Creating users and/or groups.
>> Creating group `dhcpd' with gid `136'.
>> pw: group disappeared during update
>> *** Error code 70
>> Stop in /usr/ports/net/isc-dhcp42-server.
>> *** Error code 1
>> Stop in /usr/ports/net/isc-dhcp42-server.
> What's going on is:
> 1) The port checks if the group exists
> 2) nscd caches that the group does not exist in its negative cache
> 3) pw(8) creates the group then checks if it exists
> 4) nscd returns the negative cache entry (group does not exist)
> This causes pw(8) to error since it expects the group that it just
> created to exist.
>> I also have this error very often when rebuilding/updating or even
>> installing cups when "nscd" is enabled. A simple restart of nscd helps
>> in most cases, most times I need to disable "cache" tag in
>> /etc/nsswitch.conf, then everything runs smooth.
>> Well, this behaviour is since a couple of years now, occurs sporadic. I
>> have had in FreeBSD 7, 8, 9 and I see it in 10. What is it?
>> I like the cache facility, since in domains with a lot of users
>> searching LDAP takes some time and caching help keeping traffic and
>> latency short. But the namservice caching mechanism seems to be
>> unreliable. What is up there?
> You should put "files" before "cache" in /etc/nsswitch.conf, e.g.:
> group: files cache ldap
> passwd: files cache ldap
> The problem is that tools that modify the passwd and group files, like
> pw(8), don't invalidate nscd's negative cache entries when making
> changes.

Thank you for the explanation.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-current mailing list