Yes, please turn off the default persistent caching of hosts (at least). I think this should also be done upstream. It can lead to lockout of logins in an obscure fashion -- at least it did on Fedora systems running what appears to be the same version of nscd with the same defaults, so presumably Debian would be subject to the same lossage.
The situation we saw was the following: the passwd and group databases are from ldap (with files preferred in nsswitch.conf), and hosts are from files and dns (in that order), with authentication by Kerberos. The LDAP servers were moved, so that `ldap' and `ldap-2' got different IP addresses. Over half a day later, it was impossible to log in to the systems multi-user, except via SSH public keys. Login gave authentication errors, either permission denied or invalid password -- I'm not clear why, since Kerberos was functioning OK. In this state, logged in via ssh the results of `getent passwd' and `host ldap' were OK, and there was nothing useful in syslog. Eventually we found that killing nscd solved the problem (and restarting it re-instituted the problem). Later we found (the undocumented) /var/db/nscd and zapped it, whereupon login worked again with nscd running. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
