Douglas E. Engert wrote:
> Sounds like either AD is not replicating, or not replicating fast enough
> for your tests. Or you krb5.conf is not pointing at all the DCs. It could
> also be NCSD has cache negative response for some time, but not as
> long as it would a positive positive responses.
> Is you nss ldap configured to use multiple DCs?

Yes, NSCD negative response time should not longer than positive one.
I should clean up and reload once it is time out.

I configured nss_ldap like the following, I think it could lead to use
multiple DCs
uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc

And I had also configured /etc/krb5.conf to point to multiple DCs like
kdc = w2k3dc1.failover.dc:88
kdc = w2k3dc2.failover.dc:88
admin_server = w2k3dc1.failover.dc:749

The different with which I search online is, they use different admin_server
in compare to kdc.
The my testing environment above, I configure one of the kdc server to be
the one of admin_server.
If I down w2k3dc1.failover.dc, the failover cannot take effect, su or ssh
just here.
Maybe I turn on debug mode on pam_krb5 to see the log or setup a new
w2k3dc3.failover.dc to avoid.

Douglas E. Engert wrote:
> AD does not have the master/slave concept, so you can point the
> admin_server
> at any one of them. The MIT 1.6.3 looks like it might find more then one
> admin_server so try it out specifyng all your DCs.

But you say I can point the admin_server to any one of the KDC server.
That means you above assumption not correct.
But if it is the case, how come the failover doesn't work when the admin
server is down?

Where do I find MIT1.6.3 for testing?

Thank you very much

View this message in context:
Sent from the Kerberos - General mailing list archive at