Javier Palacios-2 wrote:
>>>> Only if the flag to change password on next login is enabled

>> on AD and is honoured by pam-krb5 the absence of extra admin servers is
>> a problem.
>> What exactly does you mean, pam_krb5 will not allow change password on
>> next
>> login when the admin server is down?

> Sorry, I didn't explain well. If the admin server is down, there is no
> way to change
> the password (at least with MIT kerberos).
> The other point is whether pam-krb5 do follow the change on next login
> thing in
> the same manner than a windows workstation does (I have never tested
> that).
> If that is true _and_ the admin server is down, the password cannot be
> changed
> and the login gets refused. Enable debug on pam-krb5, which is not very
> verbose
> but allows to pinpoint some problems.

Yes, I got your mean. And it is does has this problem.

Javier Palacios-2 wrote:
>>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>>> server

>> to query. If the configured one is down, only users already cached are
>> known
>> to the system.
>> Actually, I set two ldap server in /etc/ldap.conf;

> Last time I look at that, only one was allowed.

If saying to use, nss_ldap 253, it is allowed to configure more than one
ldap server in uri entry.

uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc

But you need to set bind_policy to soft to trigger intermediate failover
instead of wait for nss_ldap to retry and reconnection until its default
maximmun is reached.

View this message in context: http://www.nabble.com/krb5-%2B-nss_l...p20452584.html
Sent from the Kerberos - General mailing list archive at Nabble.com.