Bug#335476: nscd: Caches old IP-address

[Dave Love <d.love@dl.ac.uk>]

Yes, please turn off the default persistent caching of hosts (at
least).  I think this should also be done upstream.  It can lead to
lockout of logins in an obscure fashion -- at least it did on Fedora
systems running what appears to be the same version of nscd with the
same defaults, so presumably Debian would be subject to the same
lossage.

The situation we saw was the following:  the passwd and group
databases are from ldap (with files preferred in nsswitch.conf), and
hosts are from files and dns (in that order), with authentication by
Kerberos.  The LDAP servers were moved, so that `ldap' and `ldap-2'
got different IP addresses.  Over half a day later, it was impossible
to log in to the systems multi-user, except via SSH public keys.
Login gave authentication errors, either permission denied or invalid
password -- I'm not clear why, since Kerberos was functioning OK.  In
this state, logged in via ssh the results of `getent passwd' and `host
ldap' were OK, and there was nothing useful in syslog.  Eventually we
found that killing nscd solved the problem (and restarting it
re-instituted the problem).  Later we found (the undocumented)
/var/db/nscd and zapped it, whereupon login worked again with nscd
running.