Not strictly limited to Kerberos - long login delays when system is offline

Tom Parker tparker at cbnco.com
Fri Aug 10 23:43:44 EDT 2012 

Hi Derek.

What I have done is set shorter timeouts in my resolv.conf file

options timeout:1
options attempts:2

and set my LDAP bind timelimits to 3 seconds in /etc/ldap.conf

# Search timelimit
timelimit 3

# Bind/connect timelimit
bind_timelimit 3

I figure that if I can't contact an LDAP server in 3 seconds I am never
going to be able to.  I also have told LDAP to ingore group lookups for
system users by setting nss_initgroups_ignoreusers to the common system
account that I do not have in LDAP. 

# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers
root,ldap,postfix,wwwrun,nobody,man,postgres,rsyncguy,tomcat

The last thing I have done is set my default realm in /etc/krb5.conf
instead of doing a DNS lookup for it. 

[libdefaults]
        default_realm = WI.LS.CBN

All of these changes means that on a system that normally uses Kerberos
for Authentication and LDAP for Authorization I can get logged in as
root (or any other local user) in about 15 seconds even if the whole
network is down and I have no services running.

Hope this helps.

Tom


On 08/10/2012 11:26 PM, Darek M wrote:
> Hi there, I'm sorry that this won't be strictly limited to Kerberos.
>
> I have an MIT/OpenLDAP set up running in a FreeBSD environment where
> nss_ldap provides user data and kerberos the authentication.
>
> The problem is that when the system goes offline (as it can easily
> happen), logging in becomes near impossible.  It takes 5 minutes on a
> console login for LDAP lookups to time out (between DNS lookup
> retries, nss retries, timeouts, etc).  The same delay occurs even for
> a local user, though it appears to me that the system is looking up
> file ownership, environment, etc, because a successful root login is
> immediately logged, but getting a term prompt is still delayed.
>
> If I remove LDAP from nsswitch.conf, the system obviously has no info
> on the user and login fails when trying GSSAPI in OpenSSH alone.
>
> What are you guys doing not to make your systems unusable when LDAP is
> unavailable?  Are you bypassing it entirely and using Kerberos only
> somehow?  Are you making use of NSCD or SSSD to cache LDAP data?
> Would the cache survive a reboot?
>

More information about the Kerberos mailing list