Dear all,

I have the subjected components configured to have single sign on in Linux
box against W2K3 AD.
In which, 3 W2K3 AD handling the authentication and name service. Linux box
is ldap and nss client in such case.

I have a concern of the failover behavours when W2K3 AD masteer Kerberos
server is fail-over.
And I have done the following tests already,

If the master Kerberos server is down,
# An already cached user (probably by nscd), can be login by su or ssh
And the new password changed in the Kerberos server which is taked
over the slave server takes effect.

# A non-cached user, though, cannot even login by su or ssh, finally
ended up with user doesn't exist.
Some users of this kind of, can issue kinit, but some are not.
I tried getent passwd, it gives me all the users in AD with UNIX
attribute even for whose ended up by user doesn't exist in su or ssh.

I am wondering, if krb5.conf can only specify one admin_server (master
Kerboers server), how does it handle failover suitation when this master
server is down? Is anyone out there try this approach and has the similiar
concern? Let's share and disccuss.

Thank you very much.

View this message in context:
Sent from the Kerberos - General mailing list archive at