From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id MJPvAXUR52VXSgAA62LTzQ:P1 (envelope-from ) for ; Tue, 05 Mar 2024 13:35:01 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id MJPvAXUR52VXSgAA62LTzQ (envelope-from ) for ; Tue, 05 Mar 2024 13:35:01 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=alternativebit.fr header.s=gm1 header.b=dzD226vW; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1709642101; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=zhtpa5GgiweNapNqWi59ospdkWAOxHfqymp4gTlfwMY=; b=jF9n7pBSEFrW4LNv/bQ2fJGzlz/rUoyVLQGuhxu7LcCNq0/Drt7Ga85HgyRzXdiKcAlwrE KgMZwGTSOfcndbFa+i56S9nPzQkHwJnfQocjzwULQuJNrY+aON7CVZzBCPgark+gFgRNDX dS1yzNf+1nZaM74gfMDbcxIUMA61+sg/HcGsGhYl3xB6V48sggbpJQ0AXyC+/AoLdmZbDf i9torUcXN02F4CQr78PWIEscgZvf+wGzo3eqm5OBcfV5lXAlg0pxoUVphDoP+4EYWxfBDB E94qHpw3zHEbSWnqDEoaAXbXD8+yCA3qXNOrqAkTKljtp7pikMd/cfrC9wZp3Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=alternativebit.fr header.s=gm1 header.b=dzD226vW; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1709642101; a=rsa-sha256; cv=none; b=kNzeHz/plSiF5QUvVHCRi8IHJB11CcGOzZ9ExSV8JZWkKHWpDvCuNYRMBa5aZXZimda/uX dI6kL+H/Mkx8UfuvOCyX/28XFriGdG2G2B0CCl6OatBu/EJLfbA/AS0Q5NBw+Odzjj9cxA XMz8yQXh0krEpUoGBqf3ppfRCPrx6C38F5b1BBXcFc9UpirwEMSOLlz3twC6wSUPr2ZREN +ywnFwxcHO21Ypu9DTd+rjmPaGilcH5jZic5Jk9gMvuL0aMTyF9b5rlyhcLNUjs+ZWHxzh FiERBVCBjE1sBDYJghXI/Hv15S2TKt4UxebEOs1qIuqpK7iljZhmKLW7rCUEcQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AB028713CC for ; Tue, 5 Mar 2024 13:35:00 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rhU00-00087C-JC; Tue, 05 Mar 2024 07:34:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rhTzy-00085G-0y for guix-devel@gnu.org; Tue, 05 Mar 2024 07:34:23 -0500 Received: from relay7-d.mail.gandi.net ([217.70.183.200]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rhTzt-00079R-O1 for guix-devel@gnu.org; Tue, 05 Mar 2024 07:34:21 -0500 Received: by mail.gandi.net (Postfix) with ESMTPSA id 88DFF20005; Tue, 5 Mar 2024 12:34:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alternativebit.fr; s=gm1; t=1709642053; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zhtpa5GgiweNapNqWi59ospdkWAOxHfqymp4gTlfwMY=; b=dzD226vWFGggJgnC6kYSwHIs+j6mDkCyfPU5DDMxdP+A8D8pId6N0VLOSmDqW45j/rAWMb m64RjPoXh13LL4KEf7wUy/1dXXxO0/eY6HhIRQb3Rg9k+6/F5/SRtirAik7VITDCINq2xb vGzFhiV7vfVaKoMXCWwPQNvyIduZDsp1UElSKj88E3d9fSQXDKQQ1ELNJiMn+E8c61Yzmn P3JHcDqFeSW47JMsK1SeqFrYd6f4nei28jxZfqrdjtEDwLzuM+2+68U1cxccmBL1cCLg1k hUDu8HIzhYx0qME8LGnvaJGeDR82vuAwkbC0SYd9Oldw2iseW+cWOzvntbK+NA== From: Picnoir To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org, flokli@flokli.de Subject: Re: Supporting sssd, preparing for nscd sunset In-Reply-To: <874jdldn8y.fsf@inria.fr> References: <87sf1jh8gq.fsf@inria.fr> <8734tie09a.fsf@alternativebit.fr> <874jdldn8y.fsf@inria.fr> Date: Tue, 05 Mar 2024 13:34:12 +0100 Message-ID: <87a5nc26yj.fsf@alternativebit.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-GND-Sasl: felix@alternativebit.fr Received-SPF: pass client-ip=217.70.183.200; envelope-from=picnoir@alternativebit.fr; helo=relay7-d.mail.gandi.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.39 X-Spam-Score: -4.39 X-Migadu-Queue-Id: AB028713CC X-Migadu-Scanner: mx11.migadu.com X-TUID: CN+IlzsONRSv Hi Ludo, Guix, > Can you confirm nsncd can load and run popular NSS plugins like > nss-mdns and sss? Nss-mdns works fine on IPv4. It won't work on IPv6 link-local addresses, but that's due to the Nscd protocol issue I was talking about in the previous email. I did not test sss but I'd assume it to be working. Maybe Flokli did test that? The only known regression we're aware of is related to the Google OSLogin PAM module, a module used by gcloud guests to retrieve the user account accounts metadata. See https://github.com/NixOS/nixpkgs/issues/218813. I **think** it comes from the fact we're not "crasing" Nsncd properly when a PAM module is segfaulting. I personally do not use google cloud, so I confess I did dig too deep into that issue. Aside from that, we're not aware of any other regressions. We migrated from Nscd to Nsncd 2 NixOS stable versions ago, meaning Nsncd has been already quite battletested in the wild by now. > One option that could also be considered, instead of changing the nscd > protocol, would be to have the glibc client stubs implement the sssd > protocol directly, given that sssd seems to have taken the role of > nscd-without-caching. > > It=E2=80=99s certainly more work but a possibility to keep in mind while > discussing with upstream. I had a look at the sssd protocol, it seems to be string-based, which from my perspective is a better approach than the Nscd one. The protocol also properly supports IPv6 link-local addresses scope ids. As you said, it's quite some effort. I personally can't commit doing such a re-implementation in the near future. +1 about sending a summary to the glibc ML. Picnoir