pam_ccreds and Fedora

W. Michael Petullo mike at flyn.org
Fri Jun 3 20:16:26 UTC 2005 

>> I have been using Fedora Core's pam_ccreds package to allow my laptop to
>> authenticate users even when it is disconnected from my network's LDAP
>> server[1].  Recently, logging in to my computer when disconnected began
>> to fail.
>>
>> It seems that I was incorrectly relying on nscd to cache information for
>> long periods of time.  Bug 150748 fixed nscd, but made it difficult to
>> abuse it in the way I require.
>>
>> After doing some research, I found nss_updatedb, a utility that maintains
>> a local cache of network directory user and group information.  However,
>> nss_updatedb is not included in Fedora Core.
>>
>> What is the preferred way to use pam_ccreds on Fedora?  Is anyone else
>> using this PAM module?  Is nss_updatedb a prerequisite and, if so, will
>> it be packaged for Fedora?
>>
>> I think disconnected authentication is an important feature for Fedora
>> and would like to help work on it.

> You don't really need nss_updatedb, in fact nss_updatedb is totally
> unusable in *big* environments), nscd does all the necessary caching as
> of FC3 and beyond. What IS missing is integration of pam_ccreds into
> authconfig. There's a bug about it somewhere in RH  bugzilla and
> apparently there's been (an RH internal) patch to authconfig floating
> around to add the support for configuring pam_ccreds, too bad it hasn't
> made the broad daylights so far despite me asking on a few occasions :-/

I have been having trouble with nscd.  If connect my laptop to my network,
then nscd seems to fill its caches.  Disconnecting my laptop from my
network and trying an "id -gn" works.  But if I later boot my laptop while
connected to a different network (but where my LDAP server is not
available), then nscd seems to forget about the groups it had cached.  "id
-gn" now fails.

I have set the timeout values on the cache data to several days.

Is there a way to directly print the data contained in the nscd cache
("nscd -g" does not really help)?

I have been using the pam_ccreds module fine for quite a while but caching
name information has been flakey.  There does not seem to be too much
documentation published about this.

Some related bugs:
151914 -- pam_ccreds + xscreensaver (I hope to provide a fix soon).
145044 -- pam_ccreds + authconfig

--
Mike

More information about the fedora-devel-list mailing list