NSS library for ncpfs

A name switching service to extent local user's database with NDS accounts

Purpose:

In our environnment, Linux accounts are authenticated using the PAM_NCP authentification module and have their Unix home on Linux NFS servers. Home directories are automatically created by Perl scripts ( see for example the option -F of nds2pwd.pl) This requires that users have the very same Unix ID on every workstation and that ID matches the ID used on the NFS servers when creating the home directory.

Our current solution is to use the PAM module in " NDS required mode "(option -u,,r,gcds ) with eventual creation of local account (-a) but not of the home directory that must exist on the NFS server ( -n -l) and to keep in the Location attribute of NDS the two critical informations (U:UnixID and H:/path/to/linux/home)

To speed up "automagic account creation", all workstations runs within daily cron the script nds2pwd.pl to keep the user local database in sync with NDS; so the PAM module will only autocreate the new accounts of the day.

A much better solution would be to have a Name Switch Service library the will automatically append NDS accounts (under the standard Unix format) to local accounts, like nss_ldap or nss_nis do .This library do exists with the official Novell Netware client for Linux (with eDirectory) , but is not available with the previous version of NDS we are still running here.

This contribution is a beta version of such a service. We use it here on the Linux NFS servers for homes and and some Web Servers but not yet on every client workstation (see the TODO section).

Like the PAM module it honors the official NDS8 Unix attributes if present in NDS schema, else it searchs for Unix data in user's L (Location) attribute.

Requirements:

ncpfs version 2.2 installed and operational (slist) on the Linux box.

Usage:

unpack the tgz in the contrib directory of your current ncpfs distribution
cd to contrib/ncp_nss and run make
Copy the two files libnss_ncp.so and libnss_ncp.so.2 in /usr/lib ( or in your place for others libnss_* libraries).
Copy the file ncpfs.conf to /etc ( or append to it the [ncp_nss] section if one exists already )

Edit the [ncp_nss] section to match your needs:

[ncp_nss]
useTree=1	May be 1 to specify that server is a NDS tree name or 0. In that case server is a Netware server name
server=INSA_ROOT	a NDS tree name (if useTree=1) or a servername if useTree=0 can also be a ncpfs permament mount point such as /mnt/server/parh . In that case useTree is ignored.
startCtx=	Context to start searching (default=empty = [Root] context)
ctrlGroup=	NDS group to limit search to (default=empty) all users with NDS8 UNIX:UID attribute or U:nnnn Location property will be processed
the three following switches were added to avoid direct editing of /etc/nsswitch.conf file and restarting the nscd daemon.
doPasswd=1	process passwd requests
doShadow=1	process shadow requests
doGroup=1	process group request (can really slow down getgrpxxx calls with big NDS groups
defGid=100	If no UNIX:GID attribute or G:nnnn found for that user, use this value for Unix primary GID
defShell=/bin/bash	If no UNIX:SHELL attribute or S:/path/to/shell found for that user, use this value
debug=1	Fill /var/log/secure with a lot of messages
fallbackUid=-1	If user has no Unix uid property, default behaviour (fallbackUid=-1) is to skip it. If changed to another value, (between 100 and 65534) all users with no Unix ID property in NDs will have this fallback value
fallbackGid=-1	If group has no Unix gid property, default behaviour (fallbackGid=-1) is to skip it. If changed to another value, (between 100 and 65534) all groups with no Unix ID property in NDs will have this fallback value

Run the test program tesnssncp with -U option ( show all users); you should get the list of all NDS users having a Unix ID set in NDS in the standard /etc/passwd format.

You can also investigate with some other options of this test program:

-h             Print this help text
-u id          Unix User passwd info to search by uid in NDS
-n login        Unix User passwd infos to search by name in NDS
-s login        Unix User shadow infos to search by name in NDS
-i grpid       Unix  group to search by gid in NDS
-g grpname      Unix group to search by name in NDS
-m login       Get Unix groups of user login
-U              all Unix users to search in NDS
-G              all Unix groups to search in NDS
-S              all Unix shadows to search in NDS
-D              verbose mode (fill /var/log/secure && screen)
Others options (-T... are deprecated and not functional ( were used in the alpha version)

When satisfied, edit /etc/nsswitch.conf by inserting ncp after files in passwd, shadow and group lines. We do not process other requests (hosts, ethers, rpc ...)
```
passwd:     files ncp ldap
shadow:     files ncp ldap
group:      files ncp ldap
```
and restart your nscd daemon.
Finally , turn off debug in /etc/ncpfs.conf ( no need to restart nscd when editing this file).

Some real life examples:

[root@prope ncp_nss_lib]#getent passwd should give you all local accounts, then, all NDS Unix enabled accounts (if doPasswd=1 in /etc/ncpfs.conf) and maybe all your LDAP accounts

[root@prope ncp_nss_lib]#getent shadow should give you all local accounts, then, all NDS Unix enabled accounts (if doShadow=1 in /etc/ncpfs.conf) and maybe all your LDAP accounts Please note that NDS password is not retrieved (it cannot be) so the PAM module is still needed for authentification. We do want central password managment and Single-Sign-On, do we ?

[root@prope ncp_nss_lib]#getent group should give you all local groups, then, all NDS Unix enabled groups [having a G:nnnn in NDS location attribute and eventually a Unix alias as N:unixGroupName ] (if doGroup=1 in /etc/ncpfs.conf) and maybe all your LDAP groups

[root@prope ncp_nss_lib]# getent passwd jdupond. No answer such user does not exist in NDS

[root@prope ncp_nss_lib]# getent passwd edvorakova ->edvorakova:x:11029:100:Eva Dvorakova:/cipc/eurinsa/2020931:/bin/bash

[root@prope ncp_nss_lib]# getent shadow edvorakova ->edvorakova:!!:12106:90:90:6:12340:12262:

Download:

NSS NCP library

History:

       1.00    2003, January 06        Patrick Pollet 
                initial release
        1.01    2003, January 08        Patrick Pollet 
                added conf structure and control group
                added optional fallback UID and GID if none found in NDS (default is to skip user,group)
        1.02    2003, January 09        Patrick Pollet 
                added initgroups
        1.03    2003, January 10        Patrick Pollet 
                fixed bug in nds_user_info2 (bad structure received by nds_user_location2)
        1.04    2003, January 11        Patrick Pollet 
                fixed setting ndsXXX=NULL trees in case of errors in _nss_ncp_setxxent()
                made always NAME_CONTEXT=[Root] in CreateContextAndConn
                calling NWCCloseIteration only it some errors has occured in the search
        1.05    2003, January 15        Patrick Pollet 
                -Avoid multiple reading of conf file by removing recursive calls
                in nss_ncp_getxxent_r in case a entry has no Unix infos in NDS
                (replaced by a goto nextuser)
                -Added missing free_nw_xxx_info when leaving nss_ncp_getxxent_r (fixed memory leaks)
                -Added testing for failure in allocating tree structure in nss_ncp_setxxent_r
                -if (id !=(uid_t)-1)  and not if (id) in getentxx if we search by UID !!!!
                -getentbyxx give a warning in syslog if more that one entry match the name or id search criteria
        1.06    2003, January 16        Patrick Pollet 
                -implemented reading of configuration file in /etc/nss_ncp.conf
                -in case of fatal errors, force log in syslog by using calls to traceForce ( previously fatal
                errors were only reported in debug mode, since the syslog file is not opened in normal mode)
        1.07    2003, January 16        Patrick Pollet 
                Speed up the search:
                        1)config informations are stored in the internal trees structures
                        when calling nss_ncp_setxxent_r and freed by nss_ncp_endxxent_r
                        so we don't read again config file at every call to nss_ncp_getxxent_r
                        2) group infos are really slow with big groups,so we added a flag doGroup in conf file
                        to skip the search (easier that to edit /etc/nsswitch.conf AND restarting nscd daemon).

TODO:

make the Makefile a real one. Currently 'make install' is broken and installation is still" manual".
speed up group searching with many accounts (>1000) by using cache (?) Currently the nsswitch library when calling external libraries such as libnss_ncp send them first a 1024 buffer to fill; if output is too big, the external library sends back NSS_STATUS_TRYAGAIN and will be called again with the buffer size augmented by 1024, ... and again and again until buffer size is good enough. Currently, with a 2000 users NDS group, a 32000 buffer is finally needed so the nss_ncp library is called at least 10 times. AND every time, it scans NDS. This explains to lengthy processing of groups. Some caching mechanism should be implemented for groups.
In other nss_lib we have studied we have noticed extensive usage of threads and mutex.. May be this would be the solution to speed up the group searching (??)
Debug mode is really too "talkative" especially for groups :one query getent group xxxx give 7Mo of output with a 1800 members group since this library is called at least 10 times!!!

Vous êtes notre eme visiteur