[33383] in Kerberos
Re: Inittab launching K5start too soon
daemon@ATHENA.MIT.EDU (Jaap Winius)
Fri May 13 10:56:01 2011
Message-ID: <20110513165550.14882teoijf45twk@bitis.umrk.nl>
Date: Fri, 13 May 2011 16:55:50 +0200
From: Jaap Winius <jwinius@umrk.nl>
To: kerberos@mit.edu
In-Reply-To: <878vub52w3.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Quoting Russ Allbery <rra@stanford.edu>:
> I was thinking of NFS mounts with system credentials, where you have to
> get the ordering between the network, k5start, and the NFS mount correct.
> But it sounds like I was borrowing trouble you don't have. :)
Having installed libnss-ldapd and nslcd on a dozen workstations, I now
have some actual experience with it. At first I modified
/etc/init.d/nscd to make sure it started up after nslcd, but later I
decided that wasn't necessary. I also started out thinking that it was
better to run nslcd as root.root to ensure that the credentials cache
file would have the same ownership and group, but that also turned out
to be unnecessary; the default (nslcd.nslcd) is fine.
The worst problem I had was with the "allow-hotplug" setting in
/etc/network/interfaces, which IIRC has been the default for Debian
since lenny. This delays the start up of the network interface until
after nslcd has started, causing k5start to fail to obtain a TGT. The
fix is to change "allow-hotplug" to "auto", which is the old Debian
default.
The only gripe I have now is with nslcd: it comes with a DNS lookup
option that I would very much prefer to use, but that doesn't work
reliably (I'll file a bug report).
Other than that, the users were very happy this morning with the new
configuration with no reports of any of the previous bootup/login
problems associated with libnss-ldap.
Thanks, Russ!
Cheers,
Jaap
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
