We had severe problems with our Campus Network which is fully based on
Debian. We are using the "one group a user" approach that is Debian
standard. We are running two NIS Servers one master one slave and a couple
of Server that utilize these two main NIS Servers.
I finally ran one of those in debug mode and had the following
- The group.byname database was completely read by other machines
- The ypserv process was running most of the time and was not
able to satisfy all those requests.
It turns out that there is a subroutine initgroups in the standard c
library that attempts to figure out what groups a user belongs to and does
an exhaustive search of /etc/groups. That procedure is called by cron,
login and all important tools. Its called at least for each command
executed by cron and if you run "at" each minute the /etc/group file will
be scanned or a huge number of network transfers will take place.
A couple of machines running with NIS can bring down the yp process and
cause a lot of trouble on the network.
I have solved this problem for now by copying the master /etc/group to all
major machines and removed the +:: stuff from machines that are not so
important to disable those lookups.
How can we solve this issue? Perhaps we should go back to the old approach
of putting users into one group?