Re: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~

>> You don't need admin server for normal operation. Just KDC, which
allows multiple entries.
Oh yeap, I have set two KDC, one of this is the admin server, when the
admin server down, non-cached user cannot login and even kinit.
[color=blue][color=green]
>> Only if the flag to change password on next login is enabled[/color][/color]
on AD and is honoured by pam-krb5 the absence of extra admin servers is
a problem.

What exactly does you mean, pam_krb5 will not allow change password on
next login when the admin server is down?
[color=blue][color=green]
>> I think the problem you have is that nscd/nss-ldap allows a single ldap[/color][/color]
server
to query. If the configured one is down, only users already cached are
known
to the system.
Actually, I set two ldap server in /etc/ldap.conf;
I tried to down the slave Kerberos server, which is the ldap server No.2
in /etc/ldap.conf.
With nscd running, failover for non-cached user works.
But only if the master Kerberos server down, non-cached user cannot login
by su for ssh.
[color=blue][color=green]
>> It shoul be noticed that if I'm right, all the users returned by getent[/color][/color]
passwd
should be able to login (if match some principal, obviously), and it
appears
not your case.

Thank you very much!

Yours Sincerely,
Jacky, Hoi Kei Chan,