#9086 Have ipa-client-install additionally disable the unscd service if using SSSD
Closed: fixed 11 months ago by rcritten. Opened 2 years ago by caligatio.

Issue

ipa-client-install currently disables the nscd service if IPA is being configured to use sssd due to undesired behavior if both services are present. This same undesired behavior occurs if the unscd service is present so it would be ideal if unscd could be disabled as well.

Steps to Reproduce

  1. Install unscd prior to using FreeIPA
  2. Install/configure the FreeIPA client

Actual behavior

unscd appears to cache values like group membership and prevents requests from actually being sent to sssd resulting in stale group membership.

Expected behavior

For things like group membership to update.

Version/Release/Distribution

FreeIPA client 4.8.6-1ubuntu2 on Ubuntu 20.04.3 but latest is also affected.

Additional info:

unscd is touted as a "better" nscd (not injecting any particular opinion) so another admin for my network had used it in combination with NIS. We are now migrating to FreeIPA and had many issues with things like group membership not updating without a system reboot. We finally realized unscd was the culprit and then saw that ipa-client-install disables nscd as part of the install. As unscd causes the same problems that warranted nscd being disabled during install, it would be great if unscd could be similarly disabled during install.


Do you have a pointer to the upstream for this? The only ones I was able to find haven't been touched in years.

It looks like someone packaged it for Debian which I guess is how it landed in Ubuntu. @tjaalton are you familiar with this package? It doesn't ship on Fedora or RHEL (even EPEL AFAICT).

The current handling of nscd in ipa-client is not exactly graceful. Adding another service to additionally/optionally disable could be interesting.

Looks like the code is hosted at https://busybox.net/~vda/unscd/ which was last updated in late 2020. I'm guessing a vast majority of people just use nscd but it looks like it would be fairly easy to add support for disabling unscd in addition to nscd by wrapping the disabling block in a for loop to iterate over both nscd and unscd).

looks like unscd was packaged for Debian in 2010, though this is the first time I've heard about it

I'm not sure it is worth the effort to add support for a project that sees so little use.

I won't be heartbroken if this one isn't fixed but, if it's not, it would be ideal if there could be a mention of it in the documentation.

Metadata Update from @rcritten:
- Issue assigned to rcritten

11 months ago

Upstream PR https://github.com/freeipa/freeipa/pull/6847 to mention this in the ipa-client-install man apge.

master:

  • 8eeba00 Mention in ipa-client-install that nscd is disabled

ipa-4-10:

  • abe71fe Mention in ipa-client-install that nscd is disabled

ipa-4-9:

  • e859b82 Mention in ipa-client-install that nscd is disabled

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

11 months ago

Login to comment on this ticket.

Metadata