Not strictly limited to Kerberos - long login delays when system is offline

Darek M fafaforza at gmail.com
Fri Aug 10 23:26:24 EDT 2012


Hi there, I'm sorry that this won't be strictly limited to Kerberos.

I have an MIT/OpenLDAP set up running in a FreeBSD environment where
nss_ldap provides user data and kerberos the authentication.

The problem is that when the system goes offline (as it can easily
happen), logging in becomes near impossible.  It takes 5 minutes on a
console login for LDAP lookups to time out (between DNS lookup
retries, nss retries, timeouts, etc).  The same delay occurs even for
a local user, though it appears to me that the system is looking up
file ownership, environment, etc, because a successful root login is
immediately logged, but getting a term prompt is still delayed.

If I remove LDAP from nsswitch.conf, the system obviously has no info
on the user and login fails when trying GSSAPI in OpenSSH alone.

What are you guys doing not to make your systems unusable when LDAP is
unavailable?  Are you bypassing it entirely and using Kerberos only
somehow?  Are you making use of NSCD or SSSD to cache LDAP data?
Would the cache survive a reboot?

-- 
Darek


More information about the Kerberos mailing list