krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~

JackyC@umac.mo JackyC at umac.mo
Tue Nov 11 04:00:37 EST 2008


>> You don't need admin server for normal operation. Just KDC, which 
allows multiple entries. 
Oh yeap, I have set two KDC, one of this is the admin server, when the 
admin server down, non-cached user cannot login and even kinit.

>> Only if the flag to change password on next login is enabled
on AD and is honoured by pam-krb5 the absence of extra admin servers is
a problem.

What exactly does you mean, pam_krb5 will not allow change password on 
next login when the admin server is down?

>> I think the problem you have is that nscd/nss-ldap allows a single ldap 
server
to query. If the configured one is down, only users already cached are 
known
to the system.
Actually, I set two ldap server in /etc/ldap.conf;
I tried to down the slave Kerberos server, which is the ldap server No.2 
in /etc/ldap.conf.
With nscd running, failover for non-cached user works.
But only if the master Kerberos server down, non-cached user cannot login 
by su for ssh.

>> It shoul be noticed that if I'm right, all the users returned by getent 
passwd
should be able to login (if match some principal, obviously), and it 
appears
not your case.

Thank you very much!

Yours Sincerely,
Jacky, Hoi Kei Chan,


More information about the Kerberos mailing list