Problem with "Identity Management for Unix"

We currently have all of our Linux servers using Pam to our DC (DC1)
running 2003 R2.

I currently brought up a second 2003 R2 (DC2) to start building it to
swap and replace a 2000 DC, it has been Dcpromo'd and I will change IP
and Name when I demote the original DC.

Now that the second DC is up (Temp name and IP), all Pam requests are
now hitting DC2. Even though the ldap.conf is set only to look at DC1.

Now I want to shutdown DC2, and move it to the final rack to start the
swap.

But as soon as I take DC2 down, all the Linux boxes fail on Pam.

Thoughts?!

-Mark

/etc/ldap.conf
-------------
host dc1.domain.com
base dc=domain,dc=com
ldap_version 3
binddn cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com

/etc/ldap/ldap.conf
----------------------------
BASE dc=domain,dc=com
URI ldaps://dc1.domain.com
HOST dc1.domain.com
TLS_CACERT /etc/openldap/cacerts/adcert.pem
TLS_REQCERT never
binddn "cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com"
bindpwd ldap



mjenks@netnet.net

In news:(E-Mail Removed) ps.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on below:
> We currently have all of our Linux servers using Pam to our DC (DC1)
> running 2003 R2.
>
> I currently brought up a second 2003 R2 (DC2) to start building it to
> swap and replace a 2000 DC, it has been Dcpromo'd and I will change IP
> and Name when I demote the original DC.
>
> Now that the second DC is up (Temp name and IP), all Pam requests are
> now hitting DC2. Even though the ldap.conf is set only to look at
> DC1.
>
> Now I want to shutdown DC2, and move it to the final rack to start the
> swap.
>
> But as soon as I take DC2 down, all the Linux boxes fail on Pam.
>
> Thoughts?!
>
> -Mark
>
> /etc/ldap.conf
> -------------
> host dc1.domain.com
> base dc=domain,dc=com
> ldap_version 3
> binddn cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com
>
> /etc/ldap/ldap.conf
> ----------------------------
> BASE dc=domain,dc=com
> URI ldaps://dc1.domain.com
> HOST dc1.domain.com
> TLS_CACERT /etc/openldap/cacerts/adcert.pem
> TLS_REQCERT never
> binddn "cn=LDAP Bind User,ou=Restricted Users,dc=domain,dc=com"
> bindpwd ldap

I remember a similar issue with OSx and AD when we had to bind it to AD. I
believe it was when we kerberized it we had to state that in the process,
but it was so long ago and can't remember. Just going by some memory on this
and guidelines, we neeed to kerberize it so it would allow and force
authentication for resource access from Mac users thru AD using a specific
DC and not OSx. Was the Unix box kerberized?

But honeslty, I can;t help much more than this because it was awhile ago,
and I am not familiar with what PAM (Pluggable Authentication Modules) is or
how it works. Here are some hits I found in Google that may help you:

http://www.google.com/search?sourcei...ng+wrong+AD+DC

I hope my comments may guide you in the right direction.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...