pam_ccreds and Fedora
W. Michael Petullo
mike at flyn.org
Fri Jun 3 20:16:26 UTC 2005
>> I have been using Fedora Core's pam_ccreds package to allow my laptop to
>> authenticate users even when it is disconnected from my network's LDAP
>> server[1]. Recently, logging in to my computer when disconnected began
>> to fail.
>>
>> It seems that I was incorrectly relying on nscd to cache information for
>> long periods of time. Bug 150748 fixed nscd, but made it difficult to
>> abuse it in the way I require.
>>
>> After doing some research, I found nss_updatedb, a utility that maintains
>> a local cache of network directory user and group information. However,
>> nss_updatedb is not included in Fedora Core.
>>
>> What is the preferred way to use pam_ccreds on Fedora? Is anyone else
>> using this PAM module? Is nss_updatedb a prerequisite and, if so, will
>> it be packaged for Fedora?
>>
>> I think disconnected authentication is an important feature for Fedora
>> and would like to help work on it.
> You don't really need nss_updatedb, in fact nss_updatedb is totally
> unusable in *big* environments), nscd does all the necessary caching as
> of FC3 and beyond. What IS missing is integration of pam_ccreds into
> authconfig. There's a bug about it somewhere in RH bugzilla and
> apparently there's been (an RH internal) patch to authconfig floating
> around to add the support for configuring pam_ccreds, too bad it hasn't
> made the broad daylights so far despite me asking on a few occasions :-/
I have been having trouble with nscd. If connect my laptop to my network,
then nscd seems to fill its caches. Disconnecting my laptop from my
network and trying an "id -gn" works. But if I later boot my laptop while
connected to a different network (but where my LDAP server is not
available), then nscd seems to forget about the groups it had cached. "id
-gn" now fails.
I have set the timeout values on the cache data to several days.
Is there a way to directly print the data contained in the nscd cache
("nscd -g" does not really help)?
I have been using the pam_ccreds module fine for quite a while but caching
name information has been flakey. There does not seem to be too much
documentation published about this.
Some related bugs:
151914 -- pam_ccreds + xscreensaver (I hope to provide a fix soon).
145044 -- pam_ccreds + authconfig
--
Mike
More information about the fedora-devel-list
mailing list