Alright I see what's going on. The NssDirectoryService is required by the DirectoryService class to support three methods:
recordTypes() listRecords() recordWithShortName() My server is configured to use files and LDAP for NSS calls. We have several thousand users in our LDAP directory and implement the default limit of 500 search results. As a result 'getent passwd' returns a subset of all valid accounts (not including the 'benp' account). 'getent passwd benp' returns the entry for the 'benp' account just fine; and when I manually add the result of 'getent passwd benp' to /etc/passwd I'm finally able to connect with Lightning via Kerberos/Negotiate auth as 'benp'. The principal is autocreated and I'm able to read and write to the calendar. But a DirectoryService subclass is required to support a function (listRecords) that returns *all* valid accounts. This just isn't compatible with our NSS environment. I think I might take a stab at writing a generic LDAPDirectoryService using your NssDirectoryService as an example. So in the end this isn't really a bug with NssDirectoryService; but it's probably worth noting in the documentation that NssDirectoryService will only work properly within an environment where *all* valid users can be retrieved via the equivalent of 'getent passwd'. Sorry for the trouble, and thanks for your time! Ben -- ________________________________________________________________________ PGP fingerprint: A131 F813 7A0F C5B7 E74D C972 9118 A94D 6AF5 2019
pgpf1HSlMbRfU.pgp
Description: PGP signature