This is perhaps a more general security question.  For those of you with a directory services installation, do you install a generic local user with sudo access in case directory services is not available?  Or do you just beef up your directory services to the point that you are confident it will almost always be up?

I usually disable root login via ssh, but allow it from the physical console, and make an emergency generic account with sudo privs in case DS breaks down.  What I've noticed, however, is if I simulate a directory services failure, ssh logins with this generic local account take an eternity as the server still tries to auth that user against ldap/kerberos first.  I'm sure this could be adjusted in pam in some way.

I was just curious how other admins approach this, and what level of trust they place in directory services being available.

--
-- -
Iain Morris
iain.t.morris@gmail.com