On 18 May 2017 at 14:33, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: > On 05/18/2017 09:24 AM, Nico Kadel-Garcia wrote: >> On Thu, May 18, 2017 at 6:17 AM, Jakub Hrozek <jhrozek@xxxxxxxxxx> wrote: >>> On Tue, May 16, 2017 at 08:20:49AM -0400, Stephen Gallagher wrote: >> >>>> Yes, authconfig is *not* a good tool for managing centralized authentication >>>> services and its upstream has been unable to keep up with the changing needs of >>>> the system. That's why work is under way to replace it with more robust tools. I >>>> think Jakub can talk more about that. >>> >>> Yeah, there is a project in a fairly early stage (so, we don't even have >>> a Fedora Change page yet, but we need to file one for F-27) to replace >>> authconfig. >>> >>> The basic idea is that instead of trying to generate a nss/pam stack >>> based on what the admin called authconfig with (and hope for the best) >>> the tool would include a curated and well tested set of stacks to support >>> the common configuration types. >> >> Cool. I'd love to see, for example "sss" not even listed in the >> equivalent of /etc/nsswitch.conf for systems that haven't specifically >> enabled any service that actually uses LDAP. Currently, the stack >> relies on authconfig turning *off* the sssd daemon. I'd prefer to see >> it listed there only if there's actually anything configured to use >> it. > > That's a perfectly reasonable request. I think it's fair to say that if no > central user management is required, it's reasonable that our default would be > to drop 'sss' from nsswitch.conf and turn nscd back on (to avoid I/O lookups on > the local files). > > Though if we do that, I'd still like to see some daemon *somewhere* monitoring > the files and flushing the nscd cache if they are modified, because an outdated > nscd cache is one of the hardest things for an end-user to debug because there's > really nowhere that can log it. > > The lack of logging of nscd, if anything, I'd argue is a reason for the various Working Groups for the Products to have sssd enabled (with sss at the start of nsswitch) and running by default, and with systemd always restarting it. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
