[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DB and password, group files --> use only *.db

[ cc-ed to libc6 maintainer - FYI comments on /var/lib/misc and nscd ] 

On Tue, Jul 13, 1999 at 06:26:15PM +0200, Fabien Salvi wrote:
> It is possible, using the Makefile in /var/db to replace the password
> file by the /var/db/passwd.db (idem for group.db, protocols.db,
> services.db, shadow.db and rpc.db).
> It works fine, but how can we directly make user in these db files ?

i don't think that's a good idea. imo you'd be better off setting up
ldap or pam with a postgres/mysql lookup or something if you want all
user auth info in a database, and use glibc's nscd to cache results(*)

the files in /var/db are only meant to provide a hashed db to speed up
login lookups on systems with large passwd files. i.e. /etc/passwd,
/etc/shadow, and /etc/group are the "source" files and the .db versions
are "compiled" for fast access.

on my main mail server, i experimented with wrapping adduser, passwd,
deluser, etc with a script which updated the db after every change. that
worked, but it made adding users in a batch way too slow, about 40-50
seconds of waiting for each username.

i settled on just running the Makefile out of cron every 10 minutes.
downside to this is that new users and password changes may not
"register" for up to 10 minutes. if the change is urgent, just run the
Makefile manually.

e.g. add the following to root's crontab:

*/10  * * * *   cd /var/db ; make >/dev/null 2>&1

btw, that /var/db directory moves around a lot. at first it was
/var/db, then it moved to /var/state/glibc, and now it seems to be at
/var/lib/misc. using debian unstable is at my own risk...i hope it stays
put before potato gets released

(*) nscd seems to be incompatible with adduser. before adding a new
user, adduser checks to see if the uid or gid already exists. nscd
caches the result of that check (negative-ttl is 20 seconds by default).
when adduser gets to the stage of adding the user to their own group it
isn't able to because the newly created login and group wont be visible
for another 20 seconds.

i'm not sure if this is a bug or not. i think it's more of a "don't do
that, then" - nscd's purpose is to cache nsswitch lookups from remote
systems, and the problem only occurs if you have nscd installed and
still want to add users locally with adduser.

see nscd(1) and /etc/nscd.conf for details.


craig sanders

Reply to: