[30438] in Kerberos
Re: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~
daemon@ATHENA.MIT.EDU (Jacky Chan)
Tue Nov 11 21:05:18 2008
Message-ID: <20452584.post@talk.nabble.com>
Date: Tue, 11 Nov 2008 18:04:23 -0800 (PST)
From: Jacky Chan <JackyC@umac.mo>
To: kerberos@mit.edu
In-Reply-To: <a64bf030811111000n36a8944dp6e7887fe30c8c54a@mail.gmail.com>
MIME-Version: 1.0
X-Nabble-From: JackyC@umac.mo
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Javier Palacios-2 wrote:
>
>>>> Only if the flag to change password on next login is enabled
>> on AD and is honoured by pam-krb5 the absence of extra admin servers is
>> a problem.
>>
>> What exactly does you mean, pam_krb5 will not allow change password on
>> next
>> login when the admin server is down?
>
> Sorry, I didn't explain well. If the admin server is down, there is no
> way to change
> the password (at least with MIT kerberos).
> The other point is whether pam-krb5 do follow the change on next login
> thing in
> the same manner than a windows workstation does (I have never tested
> that).
> If that is true _and_ the admin server is down, the password cannot be
> changed
> and the login gets refused. Enable debug on pam-krb5, which is not very
> verbose
> but allows to pinpoint some problems.
>
>
Yes, I got your mean. And it is does has this problem.
Javier Palacios-2 wrote:
>
>
>>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>>> server
>> to query. If the configured one is down, only users already cached are
>> known
>> to the system.
>> Actually, I set two ldap server in /etc/ldap.conf;
>
> Last time I look at that, only one was allowed.
>
>
If saying to use, nss_ldap 253, it is allowed to configure more than one
ldap server in uri entry.
uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc
ldap://w2k3dc3.failover.dc
But you need to set bind_policy to soft to trigger intermediate failover
instead of wait for nss_ldap to retry and reconnection until its default
maximmun is reached.
--
View this message in context: http://www.nabble.com/krb5-%2B-nss_ldap-%2B-nscd-%2B-Window-AD-2003-Failover-Concern%7E%7E-tp20435198p20452584.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
