I was deleting a user.
# userdel u1
The memcache was not invalidated by nss responder.
But finally the user was deleted.
What does "The memcache was not invalidated by nss responder" means?
Fedora 34
Thanks
memcachednsssssduser-management
I was deleting a user.
# userdel u1
The memcache was not invalidated by nss responder.
But finally the user was deleted.
What does "The memcache was not invalidated by nss responder" means?
Fedora 34
Thanks
We're going through this just now. So far as I know there are no file-system drivers for NSS on any Windows platform. In the immediate term we're loading the CIFS stack on our NetWare servers which allows our Windows servers to talk to them without the Novell client crudding up the network stack. Then we're running a series of scripts to migrate trustees.
Loading "TRUSTEE.NLM" on the server will give you a very, very handy rights dump of the assigned trustees on the volume.
trustee /edt save DATA1: sys:/tmp/metadata.log
That'll dump both Trustee and directory-quota data into a log file that you can then perform Rites of Scripting upon. What those scripts are, are up to you. Somethings you'll need:
NSS rights to NTFS rights. Do note, Directory permissions are not the same as File permissions, even though they use the same ACL bits. The translations are icacls options. For instance...
icacls Directory /grant NW-IT-Guys:(rx)
Gives the 'NW-IT-Guys' group the Read/Execute right to that directory, with no inheritance.
icacls Directory /grant NW-IT-Guys:(oi)(ci)(rx)
Does the same, but they'll also be able to read files (oi) and directories (ci) created below that point as well.
This table is meant for those cases where you're not granting [rwemcf] (a.k.a. read/write) or [rf] rights (a.k.a. read) to a directory. For these simple cases, use the (rx) for read, and (m) shortcuts for read/write. For those users who need to be able to make changes to rights, (f) is the shortcut for that. For special directories, such as drop boxes or write-only directories, the above may help figure it out.
Some examples of assigning rights with icacls:
Create an undeletable/moveable directory with modify rights
icacls AcctReports /grant NW-Acct-Techs:(io)(oi)(ci)(m)
icacls AcctReports /grant NW-Acct-Techs:(rx)
(io) means 'inherit only', or only applies to child objects.
Create a standard NSS-style read/write directory
icacls AcctReports /grant NW-Acct-Techs:(oi)(ci)(m)
Create a standard read-only directory
icacls AcctReports /grant NW-Acct-Auditors:(oi)(ci)(rx)
Create a directory containing log-files appended to by end-users. Perhaps application install logs or the like
icacls AppLogs /grant Everyone:(rx)
icacls AppLogs\FirefoxInstall.Log /grant Everyone:(rx,ad)
If you're like almost every NetWare install I've seen, your volume roots have very few permissions on them and you grant permissions on your top level directories and below. This isn't terribly compatible with Windows, but there are ways to kludge it into working. I'm assuming you're using 'access based enumeration' because that's how NetWare has always done it, and you don't want to shock your users with how many directories there really are out there.
And I'm not even on to ShadowCopies vs. Salvage yet.
The nss-pam-ldapd
package allows LDAP directory servers to be used as a primary source of name service information. When I would run 'getent passwd', I would only see the users from the /etc/passwd
file. When I started the /etc/init.d/nslcd
service and then issued the 'getent passwd' command, I then saw all LDAP users and system users and the shells were synced.
The service did not start when I installed the nss-pam-ldapd package, I manually started it, and now everything works like a charm.
Also the order of the /etc/nsswitch.conf
was very important:
passwd: files ldap sss
shadow: files ldap sss
group: files sss
Best Answer
When you add or delete a user, in the background the command
sss_cache
is run to clear the sssd cache. This should normally take less than a second. But if sssd is busy or the system overall is overloaded, it can take much longer to clear the cache. Typically this happens if you are adding or deleting users in large batches. The message is otherwise harmless and you should find that the user was correctly deleted.