krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~

Dear all,

I have the subjected components configured to have single sign on in Linux box against W2K3 AD.
In which, 3 W2K3 AD handling the authentication and name service. Linux box is ldap and nss client in such case.

I have a concern of the failover behavours when W2K3 AD masteer Kerberos server is fail-over.
And I have done the following tests already,

If the master Kerberos server is down,
   # An already cached user (probably by nscd), can be login by su or ssh
      And the new password changed in the Kerberos server which is taked over the slave server takes effect.

   # A non-cached user, though, cannot even login by su or ssh, finally ended up with user doesn't exist.
      Some users of this kind of, can issue kinit, but some are not.
      I tried getent passwd, it gives me all the users in AD with UNIX attribute even for whose ended up by user doesn't exist in su or ssh.

I am wondering, if krb5.conf can only specify one admin_server (master Kerboers server), how does it handle failover suitation when this master server is down? Is anyone out there try this approach and has the similiar concern? Let's share and disccuss.

Thank you very much.

Best,
Jacky

>> You don't need admin server for normal operation. Just KDC, which
allows multiple entries.
Oh yeap, I have set two KDC, one of this is the admin server, when the
admin server down, non-cached user cannot login and even kinit.

>> Only if the flag to change password on next login is enabled
on AD and is honoured by pam-krb5 the absence of extra admin servers is
a problem.

What exactly does you mean, pam_krb5 will not allow change password on
next login when the admin server is down?

>> I think the problem you have is that nscd/nss-ldap allows a single ldap
server
to query. If the configured one is down, only users already cached are
known
to the system.
Actually, I set two ldap server in /etc/ldap.conf;
I tried to down the slave Kerberos server, which is the ldap server No.2
in /etc/ldap.conf.
With nscd running, failover for non-cached user works.
But only if the master Kerberos server down, non-cached user cannot login
by su for ssh.

>> It shoul be noticed that if I'm right, all the users returned by getent
passwd
should be able to login (if match some principal, obviously), and it
appears
not your case.

Thank you very much!

Yours Sincerely,
Jacky, Hoi Kei Chan,
________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos

Jacky Chan wrote:
Sounds like either AD is not replicating, or not replicating fast enough
for your tests. Or you krb5.conf is not pointing at all the DCs. It could
also be NCSD has cache negative response for some time, but not as
long as it would a positive positive responses.

Is you nss ldap configured to use multiple DCs?

>       Some users of this kind of, can issue kinit, but some are not.
>       I tried getent passwd, it gives me all the users in AD with UNIX
> attribute even for whose ended up by user doesn't exist in su or ssh.
>
> I am wondering, if krb5.conf can only specify one admin_server (master
> Kerboers server), how does it handle failover suitation when this master
> server is down? Is anyone out there try this approach and has the similiar
> concern? Let's share and disccuss.

AD does not have the master/slave concept, so you can point the admin_server
at any one of them. The MIT 1.6.3 looks like it might find more then one
admin_server so try it out specifyng all your DCs.

>
> Thank you very much.
>
> Best,
> Jacky

--

  Douglas E. Engert  <DEEngert@...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos

>>> Only if the flag to change password on next login is enabled
> on AD and is honoured by pam-krb5 the absence of extra admin servers is
> a problem.
>
> What exactly does you mean, pam_krb5 will not allow change password on next
> login when the admin server is down?

Sorry, I didn't explain well. If the admin server is down, there is no
way to change
the password (at least with MIT kerberos).
The other point is whether pam-krb5 do follow the change on next login thing in
the same manner than a windows workstation does (I have never tested that).
If that is true _and_ the admin server is down, the password cannot be changed
and the login gets refused. Enable debug on pam-krb5, which is not very verbose
but allows to pinpoint some problems.

>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>> server
> to query. If the configured one is down, only users already cached are known
> to the system.
> Actually, I set two ldap server in /etc/ldap.conf;

Last time I look at that, only one was allowed.

Javier Palacios
________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos

Douglas E. Engert wrote:

Sounds like either AD is not replicating, or not replicating fast enough
for your tests. Or you krb5.conf is not pointing at all the DCs. It could
also be NCSD has cache negative response for some time, but not as
long as it would a positive positive responses.

Is you nss ldap configured to use multiple DCs?

Yes, NSCD negative response time should not longer than positive one.
I should clean up and reload once it is time out.

I configured nss_ldap like the following, I think it could lead to use multiple DCs
uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc

And I had also configured /etc/krb5.conf to point to multiple DCs like
 FAILOVER.DC = {
  kdc = w2k3dc1.failover.dc:88
  kdc = w2k3dc2.failover.dc:88
  admin_server = w2k3dc1.failover.dc:749
 }

The different with which I search online is, they use different admin_server in compare to kdc.
The my testing environment above, I configure one of the kdc server to be the one of admin_server.
If I down w2k3dc1.failover.dc, the failover cannot take effect, su or ssh just here.
Maybe I turn on debug mode on pam_krb5 to see the log or setup a new w2k3dc3.failover.dc to avoid.

Douglas E. Engert wrote:

AD does not have the master/slave concept, so you can point the admin_server
at any one of them. The MIT 1.6.3 looks like it might find more then one
admin_server so try it out specifyng all your DCs.

But you say I can point the admin_server to any one of the KDC server.
That means you above assumption not correct.
But if it is the case, how come the failover doesn't work when the admin server is down?

Where do I find MIT1.6.3 for testing?

Thank you very much

Best,
Jacky

Javier Palacios-2 wrote:

>>> Only if the flag to change password on next login is enabled
> on AD and is honoured by pam-krb5 the absence of extra admin servers is
> a problem.
>
> What exactly does you mean, pam_krb5 will not allow change password on next
> login when the admin server is down?

Sorry, I didn't explain well. If the admin server is down, there is no
way to change
the password (at least with MIT kerberos).
The other point is whether pam-krb5 do follow the change on next login thing in
the same manner than a windows workstation does (I have never tested that).
If that is true _and_ the admin server is down, the password cannot be changed
and the login gets refused. Enable debug on pam-krb5, which is not very verbose
but allows to pinpoint some problems.

Yes, I got your mean. And it is does has this problem.

Javier Palacios-2 wrote:

>>> I think the problem you have is that nscd/nss-ldap allows a single ldap
>>> server
> to query. If the configured one is down, only users already cached are known
> to the system.
> Actually, I set two ldap server in /etc/ldap.conf;

Last time I look at that, only one was allowed.

If saying to use, nss_ldap 253, it is allowed to configure more than one ldap server in uri entry.

uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc ldap://w2k3dc3.failover.dc

But you need to set bind_policy to soft to trigger intermediate failover instead of wait for nss_ldap to retry and reconnection until its default maximmun is reached.