[30432] in Kerberos
Re: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~
daemon@ATHENA.MIT.EDU (Javier Palacios)
Tue Nov 11 13:01:32 2008
Message-ID: <a64bf030811111000n36a8944dp6e7887fe30c8c54a@mail.gmail.com>
Date: Tue, 11 Nov 2008 19:00:17 +0100
From: "Javier Palacios" <javiplx@gmail.com>
To: JackyC@umac.mo
In-Reply-To: <OFBDE936A7.42F60A23-ON482574FE.0030F106-482574FE.00317EDA@umac.mo>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>> Only if the flag to change password on next login is enabled
> on AD and is honoured by pam-krb5 the absence of extra admin servers is
> a problem.
>
> What exactly does you mean, pam_krb5 will not allow change password on next
> login when the admin server is down?
Sorry, I didn't explain well. If the admin server is down, there is no
way to change
the password (at least with MIT kerberos).
The other point is whether pam-krb5 do follow the change on next login thing in
the same manner than a windows workstation does (I have never tested that).
If that is true _and_ the admin server is down, the password cannot be changed
and the login gets refused. Enable debug on pam-krb5, which is not very verbose
but allows to pinpoint some problems.
>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>> server
> to query. If the configured one is down, only users already cached are known
> to the system.
> Actually, I set two ldap server in /etc/ldap.conf;
Last time I look at that, only one was allowed.
Javier Palacios
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
