I love how BigCorp(tm) think it's a great idea to use a Windows domain controller (ADS/KRB5) to authenticate their Linux users against.
What a marvelous idea! It means we can all have a single password throughout the organization!
It sounds great in a perfect world, where:
The one that gets me....
The solution... sit it out until hopefully the network comes back. Failing that.. a reboot using the boot option of 'single'. That's if the customer allows you to reboot the machine.
The joys of corporate stupidity. *sigh*
What a marvelous idea! It means we can all have a single password throughout the organization!
It sounds great in a perfect world, where:
- Networks/interfaces don't fail.
- Accounts are not locked out when a user attempts to autheticate more than once every 5 seconds (really nasty when attempting to do something like: for i in `cat hosts.txt`; do ssh $i /bin/something; done )
- Machines and the DC don't always match up time (particularly across large subnets regions/physical locations.
The one that gets me....
- Lose connectivity to the subnet that contains the Windows Domain Controllers.
- Customer raises issue 'Can't login'.
- Customer expects us to 'fix the issue'.
- We can't even login (even on the console as root with a local password), as the pam config specifies it needs to check the KRB5 realms.
- Customer gets narky.
- Customer is aware of the issue, but refuses to acknowledge it as a problem.
The solution... sit it out until hopefully the network comes back. Failing that.. a reboot using the boot option of 'single'. That's if the customer allows you to reboot the machine.
The joys of corporate stupidity. *sigh*
