4aaf05d72e
Some distributions, notably Fedora, have the following order of nsswitch modules by default: passwd: sss files group: sss files The advantage of serving local users through SSSD is that the nss_sss module has a fast mmapped-cache that speeds up NSS lookups compared to accessing the disk an opening the files on each NSS request. Traditionally, this has been done with the help of nscd, but using nscd in parallel with sssd is cumbersome, as both SSSD and nscd use their own independent caching, so using nscd in setups where sssd is also serving users from some remote domain (LDAP, AD, ...) can result in a bit of unpredictability. More details about why Fedora chose to use sss before files can be found on e.g.: https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers or: https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html Now, even though sssd watches the passwd and group files with the help of inotify, there can still be a small window where someone requests a user or a group, finds that it doesn't exist, adds the entry and checks again. Without some support in shadow-utils that would explicitly drop the sssd caches, the inotify watch can fire a little late, so a combination of commands like this: getent passwd user || useradd user; getent passwd user can result in the second getent passwd not finding the newly added user as the racy behaviour might still return the cached negative hit from the first getent passwd. This patch more or less copies the already existing support that shadow-utils had for dropping nscd caches, except using the "sss_cache" tool that sssd ships.
18 lines
286 B
C
18 lines
286 B
C
#ifndef _SSSD_H_
|
|
#define _SSSD_H_
|
|
|
|
#define SSSD_DB_PASSWD 0x001
|
|
#define SSSD_DB_GROUP 0x002
|
|
|
|
/*
|
|
* sssd_flush_cache - flush specified service buffer in sssd cache
|
|
*/
|
|
#ifdef USE_SSSD
|
|
extern int sssd_flush_cache (int dbflags);
|
|
#else
|
|
#define sssd_flush_cache(service) (0)
|
|
#endif
|
|
|
|
#endif
|
|
|