Re: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~
>> You don't need admin server for normal operation. Just KDC, which
allows multiple entries.
Oh yeap, I have set two KDC, one of this is the admin server, when the
admin server down, non-cached user cannot login and even kinit.
>> Only if the flag to change password on next login is enabled[/color][/color]
on AD and is honoured by pam-krb5 the absence of extra admin servers is
What exactly does you mean, pam_krb5 will not allow change password on
next login when the admin server is down?
>> I think the problem you have is that nscd/nss-ldap allows a single ldap[/color][/color]
to query. If the configured one is down, only users already cached are
to the system.
Actually, I set two ldap server in /etc/ldap.conf;
I tried to down the slave Kerberos server, which is the ldap server No.2
With nscd running, failover for non-cached user works.
But only if the master Kerberos server down, non-cached user cannot login
by su for ssh.
>> It shoul be noticed that if I'm right, all the users returned by getent[/color][/color]
should be able to login (if match some principal, obviously), and it
not your case.
Thank you very much!
Jacky, Hoi Kei Chan,