On Fri, Aug 10, 2012 at 8:26 PM, Darek M <[email protected]> wrote: > Hi there, I'm sorry that this won't be strictly limited to Kerberos. > > I have an MIT/OpenLDAP set up running in a FreeBSD environment where > nss_ldap provides user data and kerberos the authentication. > > The problem is that when the system goes offline (as it can easily > happen), logging in becomes near impossible. It takes 5 minutes on a > console login for LDAP lookups to time out (between DNS lookup > retries, nss retries, timeouts, etc).
One thing to try is running a local caching bind server that only listens on localhost. Nothing else I've tried on linux comes anything like doing the correct thing. ( nscd has really stupid caching and should be avoided if at all possible. ) The other thing is that, at least in RHEL6, there is a similar cache only ldap server that might help as well. (nslcd) You'll still need local group and passwd entries for the emergency accounts, but using these two might make the whole thing less painful. My experience has been that no matter how low you set the DNS timeouts, if the first server in resolv.conf is down, the system becomes painful to use. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
