On Thu, 2020-11-05 at 07:58 -0500, Nico Kadel-Garcia wrote: > On Thu, Nov 5, 2020 at 6:39 AM Petr Menšík <pemen...@redhat.com> wrote: > > No, no, NO again. > > > > nscd has no important active bugs in Fedora. I am not sure what bugs are > > mentioned, but just a few active bugs are on glibc component in Fedora. > > Therefore it seems just fine no commits are good. > > > > Just unlike systemd-resolved, which actively breaks some use cases. It > > changes resolution order of search directive in resolv.conf, breaks > > DNSSEC, breaks one label names resolution. It is famous among DNS > > community [1]. > > sssd also breaks other LDAP setups, It's extremely broken with larger > LDAP setups because it insists on caching *ALL* of the LDAP, barring > being able to filter to only a smaller set of the LDAP.
Sorry but this is simply not true, you can apply filters to reduce the set to what you want. > But because so > many LDAP setups scatter group and user information in so many > distinct parts of the LDAP layout, this never works and it *ALWAYS* > times out in large, remot4e LDAP setups. It works for a few seconds at > start time, then crashes and takes out *all* sssd based services. > > The sophisticated setups available by hand-editing sssd are also > *inevitably* overwritten by any use of the 'authconfig' command, which > is used by various RPM '%post' operations. sssd's configuration > options are so poor that they may as well be malicious. It is most > effective in small and unsophisticated network environments. It > suffers from the "systemd" style, sprawling universal management tool > design principles and makes many straightforward operations very > difficult if not impossible. open bugs please. > nscd is a lightweight and *far* more stable tool, and should be used > in preference to sssd wherever possible. An indepent LDAP and Kerberos > toolkit is *far* more stable than sssd. It is also a very crude tool that fails in different scenarios. If NSCD was a good caching tool I would not have had the need to invent SSSD in the first place. nscd has extremely bad failure modes that makes it completely unusable for example for a laptop, or a server that can be disconnected from the mothership for more than a network blip. SSSD can handle long disconnection times instead as it has an offline mode concept. Nothing is perfect, but NSCD is far from good as well. > > Instead, I request again, split systemd-resolved into subpackage. I want > > it removed on my system and so do more people. Also, when I disable it, > > I have to fix /etc/resolv.conf by hand. I would think NetworkManager > > restart would refresh classic /etc/resolv.conf, like in F32. > > That's a separate issue. Maybe start a separate thread about that? > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
