>>> Only if the flag to change password on next login is enabled
> on AD and is honoured by pam-krb5 the absence of extra admin servers is
> a problem.
> What exactly does you mean, pam_krb5 will not allow change password on next
> login when the admin server is down?

Sorry, I didn't explain well. If the admin server is down, there is no
way to change
the password (at least with MIT kerberos).
The other point is whether pam-krb5 do follow the change on next login thing in
the same manner than a windows workstation does (I have never tested that).
If that is true _and_ the admin server is down, the password cannot be changed
and the login gets refused. Enable debug on pam-krb5, which is not very verbose
but allows to pinpoint some problems.

>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>> server

> to query. If the configured one is down, only users already cached are known
> to the system.
> Actually, I set two ldap server in /etc/ldap.conf;

Last time I look at that, only one was allowed.

Javier Palacios