On Thu, 2009-12-10 at 16:04 -0500, Owen Taylor wrote: > * To make sure that we can get edit DNS as soon as possible, > verify that menubar.gnome.org can be logged into by sysadmins: > - Without LDAP running > - With /home/users unmounted > This may require reconfiguring the NSS configuration.
To test, I added the temporarily added rule: -A RH-Firewall-1-INPUT -s 172.31.1.12 -m tcp -p tcp --dport 389 -j REJECT to /etc/sysconfig/iptables on label.gnome.org and restarted the iptables service, and then unmounted /home/users on menubar. I was initially unable to SSH in to menubar, but by adding: nss_initgroups_ignoreusers root,otaylor To /etc/ldap.conf on menubar, I was then successfully able to ssh in. The downside of the above is my LDAP groups aren't propagated to menubar, but not a big problem for now. The other obvious downside is that only I'm listed there. I tried experimenting some with other ldap.conf options to see if I could get it to transparently fall back without having to do the above, but didn't have any immediate luck. Probably just takes more research and reading of the nss_ldap man page. - Owen [ Also addded the nss_initgroups_ignoreusers on container.gnome.org, since that's the other server that is really depended on throughout the cluster ] _______________________________________________ gnome-infrastructure mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-infrastructure
