diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml
index bade93c0984..9405bf063d5 100644
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -245,6 +245,65 @@
options.
+
+
+ The nscd service now disables all caching of
+ passwd and group databases by
+ default. This was interferring with the correct functioning of the
+ libnss_systemd.so module which is used by
+ systemd to manage uids and usernames in the presence of
+ DynamicUser= in systemd services. This was already the
+ default behaviour in presence of services.sssd.enable =
+ true because nscd caching would interfere with
+ sssd in unpredictable ways as well. Because we're
+ using nscd not for caching, but for convincing glibc to find NSS modules
+ in the nix store instead of an absolute path, we have decided to disable
+ caching globally now, as it's usually not the behaviour the user wants and
+ can lead to surprising behaviour. Furthermore, negative caching of host
+ lookups is also disabled now by default. This should fix the issue of dns
+ lookups failing in the presence of an unreliable network.
+
+
+ If the old behaviour is desired, this can be restored by setting
+ the services.nscd.config option
+ with the desired caching parameters.
+
+ services.nscd.config =
+ ''
+ server-user nscd
+ threads 1
+ paranoia no
+ debug-level 0
+
+ enable-cache passwd yes
+ positive-time-to-live passwd 600
+ negative-time-to-live passwd 20
+ suggested-size passwd 211
+ check-files passwd yes
+ persistent passwd no
+ shared passwd yes
+
+ enable-cache group yes
+ positive-time-to-live group 3600
+ negative-time-to-live group 60
+ suggested-size group 211
+ check-files group yes
+ persistent group no
+ shared group yes
+
+ enable-cache hosts yes
+ positive-time-to-live hosts 600
+ negative-time-to-live hosts 5
+ suggested-size hosts 211
+ check-files hosts yes
+ persistent hosts no
+ shared hosts yes
+ '';
+
+ See #50316
+ for details.
+
+
GitLab Shell previously used the nix store paths for the
diff --git a/nixos/modules/services/misc/nscd-sssd.conf b/nixos/modules/services/misc/nscd-sssd.conf
deleted file mode 100644
index 92380f3e4ba..00000000000
--- a/nixos/modules/services/misc/nscd-sssd.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-server-user nscd
-threads 1
-paranoia no
-debug-level 0
-
-enable-cache passwd yes
-positive-time-to-live passwd 0
-negative-time-to-live passwd 0
-suggested-size passwd 211
-check-files passwd yes
-persistent passwd no
-shared passwd yes
-
-enable-cache group yes
-positive-time-to-live group 0
-negative-time-to-live group 0
-suggested-size group 211
-check-files group yes
-persistent group no
-shared group yes
-
-enable-cache hosts yes
-positive-time-to-live hosts 600
-negative-time-to-live hosts 5
-suggested-size hosts 211
-check-files hosts yes
-persistent hosts no
-shared hosts yes
-
-enable-cache services yes
-positive-time-to-live services 0
-negative-time-to-live services 0
-suggested-size services 211
-check-files services yes
-persistent services no
-shared services yes
diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix
index e818f4a4804..fe472a6c68e 100644
--- a/nixos/modules/services/misc/sssd.nix
+++ b/nixos/modules/services/misc/sssd.nix
@@ -75,7 +75,6 @@ in {
};
system.nssModules = optional cfg.enable pkgs.sssd;
- services.nscd.config = builtins.readFile ./nscd-sssd.conf;
services.dbus.packages = [ pkgs.sssd ];
})
diff --git a/nixos/modules/services/system/nscd.conf b/nixos/modules/services/system/nscd.conf
index 6d0dcacf977..603a5d01acc 100644
--- a/nixos/modules/services/system/nscd.conf
+++ b/nixos/modules/services/system/nscd.conf
@@ -1,28 +1,52 @@
+# We basically use nscd as a proxy for forwarding nss requests to appropriate
+# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
+# containing all such modules
+# Note that we can not use `enable-cache no` As this will actually cause nscd
+# to just reject the nss requests it receives, which then causes glibc to
+# fallback to trying to handle the request by itself. Which won't work as glibc
+# is not aware of the path in which the nss modules live. As a workaround, we
+# have `enable-cache yes` with an explicit ttl of 0
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
-positive-time-to-live passwd 600
-negative-time-to-live passwd 20
+positive-time-to-live passwd 0
+negative-time-to-live passwd 0
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
-positive-time-to-live group 3600
-negative-time-to-live group 60
+positive-time-to-live group 0
+negative-time-to-live group 0
suggested-size group 211
check-files group yes
persistent group no
shared group yes
+enable-cache netgroup yes
+positive-time-to-live netgroup 0
+negative-time-to-live netgroup 0
+suggested-size netgroup 211
+check-files netgroup yes
+persistent netgroup no
+shared netgroup yes
+
enable-cache hosts yes
positive-time-to-live hosts 600
-negative-time-to-live hosts 5
+negative-time-to-live hosts 0
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
+
+enable-cache services yes
+positive-time-to-live services 0
+negative-time-to-live services 0
+suggested-size services 211
+check-files services yes
+persistent services no
+shared services yes
diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix
index 65aa553b314..4d470126abe 100644
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@@ -56,6 +56,11 @@ import ./make-test.nix {
$machine->succeed('test -z $(ls -1 /var/log/journal)');
};
+ # Regression test for https://github.com/NixOS/nixpkgs/issues/50273
+ subtest "DynamicUser actually allocates a user", sub {
+ $machine->succeed('systemd-run --pty --property=Type=oneshot --property=DynamicUser=yes --property=User=iamatest whoami | grep iamatest');
+ };
+
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
subtest "file system with x-initrd.mount is not unmounted", sub {
$machine->shutdown;