Hi there, I'm sorry that this won't be strictly limited to Kerberos. I have an MIT/OpenLDAP set up running in a FreeBSD environment where nss_ldap provides user data and kerberos the authentication.
The problem is that when the system goes offline (as it can easily happen), logging in becomes near impossible. It takes 5 minutes on a console login for LDAP lookups to time out (between DNS lookup retries, nss retries, timeouts, etc). The same delay occurs even for a local user, though it appears to me that the system is looking up file ownership, environment, etc, because a successful root login is immediately logged, but getting a term prompt is still delayed. If I remove LDAP from nsswitch.conf, the system obviously has no info on the user and login fails when trying GSSAPI in OpenSSH alone. What are you guys doing not to make your systems unusable when LDAP is unavailable? Are you bypassing it entirely and using Kerberos only somehow? Are you making use of NSCD or SSSD to cache LDAP data? Would the cache survive a reboot? -- Darek ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
