SOLUTION VERIFIED - Updated August 6 2015 at 12:49 PM - English
Environment
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Issue
There are times when performing an id against an LDAP user where the user is not found in the nscd cache, when we know for a fact that the user does exist:
Raw
# id ldapuser1
id: ldapuser1: No such user
How to set nscd into paranoia mode
Resolution
Red Hat is putting more of a focus on sssd to handle the caching mechanism on a client system. With this focus, the true resolution will be to work towards migrating RHEL 5 and later systems to utilize sssd. Knowing that this is not an immediate possibility for some customers, there are methods to put in place on existing systems where the cache within nscd can be recreated. This is not a foolproof resolution, and is only meant to be used in those instances where either the nscd cache gets corrupted or has randomly missed entries, and the ability to migrate to sssd is not currently possible.
As a workaround, place the following into the /etc/nscd.conf file:
Raw
paranoia yes
Restart the nscd service:
Raw
# service nscd restart
This will cause the nscd daemon to restart on the specified restart-interval setting within the /etc/nscd.conf file.
A secondary workaround, instead of using the paranoia option (where the timing is based on when the nscd daemon was started), is to create a cron job that restarts the nscd daemon on a specified interval. The interval will be dependent upon the workload of the box.
Note that there is no guaranteed interval that will allow for the nscd cache to be free of errors. This is why the true resolution is to work towards migrating to sssd.
Root Cause
There are limitations on cache timeouts with how nscd works with nss_ldap and nss-pam-ldapd. Because the nscd cache is not reliable, and is is unable to be configured to be so (the reload-count option for refreshing the cache and cache timeouts do not function as intended), development efforts focused on sssd.
BZ 488597 covers this issue, along with other issues with nscd that were discussed. The conclusion is that nscd is unable to perform all of its functions for configuring caching, and the true resolution is to migrate towards sssd.
Diagnostic Steps
Randomly restarting nscd and attempting to id a user (located in LDAP in this example), will sometimes yield a failed user identification:
Raw
[root@test ~]# /etc/init.d/nscd restart ; id ldapuser1
[root@test ~]# /etc/init.d/nscd restart ; sleep 1 ; id ldapuser1
Stopping nscd: [ OK ]
Starting nscd: [ OK ]
id: ldapuser1: No such user
Product(s) Red Hat Enterprise Linux Component nss Category Configure Tags ldap nscd rhel rhel_5
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.