krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~

Douglas E. Engert deengert at anl.gov
Tue Nov 11 12:10:43 EST 2008



Jacky Chan wrote:
> Dear all,
> 
> I have the subjected components configured to have single sign on in Linux
> box against W2K3 AD.
> In which, 3 W2K3 AD handling the authentication and name service. Linux box
> is ldap and nss client in such case.
> 
> I have a concern of the failover behavours when W2K3 AD masteer Kerberos
> server is fail-over.
> And I have done the following tests already,
> 
> If the master Kerberos server is down,
>    # An already cached user (probably by nscd), can be login by su or ssh
>       And the new password changed in the Kerberos server which is taked
> over the slave server takes effect.
> 
>    # A non-cached user, though, cannot even login by su or ssh, finally
> ended up with user doesn't exist.

Sounds like either AD is not replicating, or not replicating fast enough
for your tests. Or you krb5.conf is not pointing at all the DCs. It could
also be NCSD has cache negative response for some time, but not as
long as it would a positive positive responses.

Is you nss ldap configured to use multiple DCs?

>       Some users of this kind of, can issue kinit, but some are not.
>       I tried getent passwd, it gives me all the users in AD with UNIX
> attribute even for whose ended up by user doesn't exist in su or ssh.
> 
> I am wondering, if krb5.conf can only specify one admin_server (master
> Kerboers server), how does it handle failover suitation when this master
> server is down? Is anyone out there try this approach and has the similiar
> concern? Let's share and disccuss.

AD does not have the master/slave concept, so you can point the admin_server
at any one of them. The MIT 1.6.3 looks like it might find more then one
admin_server so try it out specifyng all your DCs.

> 
> Thank you very much.
> 
> Best,
> Jacky

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list