|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
In-Reply-To: <a64bf030811110046m628d3564r992f39afd613e34d@mail.gmail.com> To: "Javier Palacios" <javiplx@gmail.com> MIME-Version: 1.0 Message-ID: <OFBDE936A7.42F60A23-ON482574FE.0030F106-482574FE.00317EDA@umac.mo> From: JackyC@umac.mo Date: Tue, 11 Nov 2008 17:00:37 +0800 Cc: kerberos@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu >> You don't need admin server for normal operation. Just KDC, which allows multiple entries. Oh yeap, I have set two KDC, one of this is the admin server, when the admin server down, non-cached user cannot login and even kinit. >> Only if the flag to change password on next login is enabled on AD and is honoured by pam-krb5 the absence of extra admin servers is a problem. What exactly does you mean, pam_krb5 will not allow change password on next login when the admin server is down? >> I think the problem you have is that nscd/nss-ldap allows a single ldap server to query. If the configured one is down, only users already cached are known to the system. Actually, I set two ldap server in /etc/ldap.conf; I tried to down the slave Kerberos server, which is the ldap server No.2 in /etc/ldap.conf. With nscd running, failover for non-cached user works. But only if the master Kerberos server down, non-cached user cannot login by su for ssh. >> It shoul be noticed that if I'm right, all the users returned by getent passwd should be able to login (if match some principal, obviously), and it appears not your case. Thank you very much! Yours Sincerely, Jacky, Hoi Kei Chan, ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |