# nscd and nsswitch doesn't seem to be working together



## sdalu (Apr 3, 2020)

I've configure nsswitch.conf to use ldap (via nss-pam-ldapd).
Configuration is working fine, but I want to avoid querying too much the ldap server, so I decided to use nscd for caching passwd/group lookup.

I used this simple configuration in nsswitch.conf (other entries are left unchanged), and nscd.conf  is the installed default

```
group: cache files ldap
passwd: cache files ldap
```

The problem is that caching doesn't seems to be used at all (testing using `ls -al /home`):

`nslcd -d` show ldap request being performed for every test
`nscd -nst` show nothing (but the program initialisation)
Any idea on what's going on is welcomed


----------



## asomers (Aug 15, 2020)

What version of FreeBSD are you running?  There was a bug in nscd that mostly broke it.  It was fixed in head at r340015 and merged to  stable/12 at r364199.





						[base] Revision 364199
					






					svnweb.freebsd.org
				








						[base] Revision 340015
					






					svnweb.freebsd.org


----------



## sdalu (Aug 23, 2020)

Hi, I was using 12.1-RELEASE-p3. 
So I guess I need to wait for 12.2 release


----------



## Mjölnir (Mar 10, 2021)

Network wizzards, please comment.
`uname -aU`
`FreeBSD t450s.local.lan 12.2-RELEASE-p4 FreeBSD 12.2-RELEASE-p4 GENERIC  amd64 1202000`

Maybe the issues I had fit into this thread: until yesterday, I constantly had nasty error messages in /var/log/debug.log:
	
	



```
Mar  5 16:01:00 t450s cron[78002]: NSSWITCH(_nsdispatch): cache, group_compat, endgrent, not found, and no fallback provided
Mar  5 16:01:00 t450s cron[78002]: NSSWITCH(_nsdispatch): cache, passwd_compat, endpwent, not found, and no fallback provided
```
 Note: the program after the date varies, other programs like ls(1), csh(1),... occured as well.
With these configurations in /etc/nsswitch.conf (pretty much default):
	
	



```
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/12.2/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
# $Id: nsswitch.conf,v 1.3 2021/03/07 12:22:51 root Exp root $
#
group: compat
group_compat: cache nis [notfound=RETURN]
hosts: cache files dns
netgroup: compat
netgroup_compat: cache nis [notfound=RETURN]
networks: cache files dns
passwd: compat
passwd_compat: cache nis [notfound=RETURN] db
shells: cache files
services: compat
services_compat: cache nis [notfound=RETURN] db
protocols: cache files
rpc: cache files
```
and /etc/nscd.conf:
	
	



```
#
# Default caching daemon configuration file
# $FreeBSD: releng/12.2/usr.sbin/nscd/nscd.conf 336850 2018-07-28 23:29:36Z brd $
# $Id: nscd.conf,v 1.2 2021/02/24 00:12:43 root Exp root $
#
enable-cache passwd yes
perform-actual-lookups passwd yes
enable-cache group yes
perform-actual-lookups group yes
enable-cache hosts yes
positive-policy hosts lfu
negative-confidence-threshold hosts 4
#negative-time-to-live hosts 120
suggested-size hosts 2521
keep-hot-count hosts 4096
enable-cache netgroups yes
suggested-size netgroups 37
keep-hot-count netgroups 64
enable-cache networks yes
enable-cache protocols yes
keep-hot-count protocols 512
enable-cache services yes
suggested-size services 2521
#keep-hot-count services 4096
perform-actual-lookups services yes
enable-cache shells yes
suggested-size shells 17
keep-hot-count hosts 32
enable-cache rpc yes
```
Then I removed the `*_compat` entries from /etc/nsswitch.conf:
	
	



```
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/12.2/lib/libc/net/nsswitch.conf 338729 2018-09-17 18:56:47Z brd $
# $Id: nsswitch.conf,v 1.4 2021/03/07 12:26:49 root Exp root $
#
group: cache nis [notfound=RETURN] files
hosts: cache files dns
netgroup: cache nis [notfound=RETURN] files
networks: cache files dns
passwd: cache nis [notfound=RETURN] db [notfound=RETURN] files
shells: cache files
services: cache nis [notfound=RETURN] db [notfound=RETURN] files
protocols: cache files
rpc: cache files
```
and commented out `perform-actual-lookups` in nscd.conf(5):
	
	



```
root@t450s:/etc # rcsdiff -r1.2 nscd.conf
===================================================================
RCS file: RCS/nscd.conf,v
retrieving revision 1.2
diff -r1.2 nscd.conf
4c4
< # $Id: nscd.conf,v 1.2 2021/02/24 00:12:43 root Exp $
---
> # $Id: nscd.conf,v 1.3 2021/03/07 12:34:38 root Exp root $
7c7
< perform-actual-lookups passwd yes
---
> #perform-actual-lookups passwd yes
9c9
< perform-actual-lookups group yes
---
> #perform-actual-lookups group yes
25c25
< perform-actual-lookups services yes
---
> #perform-actual-lookups services yes
```
restarted nscd(8), but I still had error messages.  But after I rebooted yesterday `last -n 5 reboot`

```
last -n 5 reboot
boot time                                  Di.  9 März 03:49
shutdown time                              Di.  9 März 03:45
boot time                                  Di.  9 März 03:26
shutdown time                              Di.  9 März 03:24
boot time                                  Mo.  1 März 22:51
```
the error messages disappeared EDIT: see next post: this "fix" killed syslogd(8) /EDIT.  Thus I'd say I can file in a bug report on nsswitch.conf(5): the defaults shipped are bogus, the `compat` entry simply doesn't work?  Correct?  I changed from the defaults (other than to enable caching) only because I had these nasty error messages; my changes were marginal at most (include explicit `[notfound=RETURN]`).
Why was it not enough to restart nscd(8)?  That is extremely irritating...  This is not a Windows box... Maybe a shutdown(8) & going to multiuser again would have been enough?


----------



## Mjölnir (Mar 10, 2021)

I forgot to mention that the above "solution" was fake, because it killed my syslogd(8) and that was the reason why the error messages did not come up anymore...  now my status is that I removed nis(8) completely from nsswitch.conf(5), this gives me back a running syslogd(8), but also the error messages & nscd(8)'s caching doesn't seem to work, either (it never did).


----------



## Mjölnir (Mar 12, 2021)

Wow, this caused an avalanche of answers!  `ping` to distract your attention, I really like to fix this issue...


----------

