>> You don't need admin server for normal operation. Just KDC, which
allows multiple entries.
Oh yeap, I have set two KDC, one of this is the admin server, when the
admin server down, non-cached user cannot login and even kinit.

>> Only if the flag to change password on next login is enabled

on AD and is honoured by pam-krb5 the absence of extra admin servers is
a problem.

What exactly does you mean, pam_krb5 will not allow change password on
next login when the admin server is down?

>> I think the problem you have is that nscd/nss-ldap allows a single ldap

to query. If the configured one is down, only users already cached are
to the system.
Actually, I set two ldap server in /etc/ldap.conf;
I tried to down the slave Kerberos server, which is the ldap server No.2
in /etc/ldap.conf.
With nscd running, failover for non-cached user works.
But only if the master Kerberos server down, non-cached user cannot login
by su for ssh.

>> It shoul be noticed that if I'm right, all the users returned by getent

should be able to login (if match some principal, obviously), and it
not your case.

Thank you very much!

Yours Sincerely,
Jacky, Hoi Kei Chan,