Not strictly limited to Kerberos - long login delays when system is offline

Booker Bense bbense at gmail.com
Mon Aug 20 11:10:52 EDT 2012


On Fri, Aug 10, 2012 at 8:26 PM, Darek M <fafaforza at gmail.com> wrote:
> Hi there, I'm sorry that this won't be strictly limited to Kerberos.
>
> I have an MIT/OpenLDAP set up running in a FreeBSD environment where
> nss_ldap provides user data and kerberos the authentication.
>
> The problem is that when the system goes offline (as it can easily
> happen), logging in becomes near impossible.  It takes 5 minutes on a
> console login for LDAP lookups to time out (between DNS lookup
> retries, nss retries, timeouts, etc).

One thing to try is running a local caching bind server that only
listens on localhost. Nothing else
I've tried on linux comes anything like doing the correct thing. (
nscd has really stupid caching and
should be avoided if at all possible. )

The other thing is that, at least in RHEL6, there is a similar cache
only ldap server that might help
as well. (nslcd)

You'll still need local group and passwd entries for the emergency
accounts, but using these two
might make the whole thing less painful.

My experience has been that no matter how low you set the DNS
timeouts, if the first server in resolv.conf
is down, the system becomes painful to use.

- Booker C. Bense


More information about the Kerberos mailing list