Quoting Russ Allbery <[email protected]>: > I was thinking of NFS mounts with system credentials, where you have to > get the ordering between the network, k5start, and the NFS mount correct. > But it sounds like I was borrowing trouble you don't have. :)
Having installed libnss-ldapd and nslcd on a dozen workstations, I now have some actual experience with it. At first I modified /etc/init.d/nscd to make sure it started up after nslcd, but later I decided that wasn't necessary. I also started out thinking that it was better to run nslcd as root.root to ensure that the credentials cache file would have the same ownership and group, but that also turned out to be unnecessary; the default (nslcd.nslcd) is fine. The worst problem I had was with the "allow-hotplug" setting in /etc/network/interfaces, which IIRC has been the default for Debian since lenny. This delays the start up of the network interface until after nslcd has started, causing k5start to fail to obtain a TGT. The fix is to change "allow-hotplug" to "auto", which is the old Debian default. The only gripe I have now is with nslcd: it comes with a DNS lookup option that I would very much prefer to use, but that doesn't work reliably (I'll file a bug report). Other than that, the users were very happy this morning with the new configuration with no reports of any of the previous bootup/login problems associated with libnss-ldap. Thanks, Russ! Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
