Inittab launching K5start too soon

[Jaap Winius]

Quoting Russ Allbery <rra at stanford.edu>:

> I was thinking of NFS mounts with system credentials, where you have to
> get the ordering between the network, k5start, and the NFS mount correct.
> But it sounds like I was borrowing trouble you don't have.  :)

Having installed libnss-ldapd and nslcd on a dozen workstations, I now  
have some actual experience with it. At first I modified  
/etc/init.d/nscd to make sure it started up after nslcd, but later I  
decided that wasn't necessary. I also started out thinking that it was  
better to run nslcd as root.root to ensure that the credentials cache  
file would have the same ownership and group, but that also turned out  
to be unnecessary; the default (nslcd.nslcd) is fine.

The worst problem I had was with the "allow-hotplug" setting in  
/etc/network/interfaces, which IIRC has been the default for Debian  
since lenny. This delays the start up of the network interface until  
after nslcd has started, causing k5start to fail to obtain a TGT. The  
fix is to change "allow-hotplug" to "auto", which is the old Debian  
default.

The only gripe I have now is with nslcd: it comes with a DNS lookup  
option that I would very much prefer to use, but that doesn't work  
reliably (I'll file a bug report).

Other than that, the users were very happy this morning with the new  
configuration with no reports of any of the previous bootup/login  
problems associated with libnss-ldap.

Thanks, Russ!

Cheers,

Jaap