Seeking KDC Priority/Weight Clarification/Recommendation
Ken Raeburn
raeburn at MIT.EDU
Mon Dec 15 16:33:22 EST 2008
On Dec 15, 2008, at 15:04, Mark T. Valites wrote:
> We recently saw a hardware failure on one our (non-master) KDCs that
> brought the box completely off line. Even though they are redunant/
> highly
> available on their own, the downstream ldap & shibboleth/cosign
> servers
> all immeadiately saw issues because of this, exposing the weak link
> in the
> chain.
What sort of issues?
> The O'Reilly Kerberos (The Definitive Guide) book states that
> setting the
> weight to 0 in the SRV record causes clients to choose from equal
> priority
> KDCs randomly, but doesn't explicitely say anything about when one of
> those is not available.
The MIT code will pick one KDC address to try contacting, and if it
doesn't answer within a second, it will try the next one. (Both the
config-file and DNS approaches as you described them would result in a
list of four addresses. The library code should randomize the order
of all SRV records returned with weights all zero. However, if the
config file version is used, the addresses will be tried in the order
returned by the getaddrinfo() function, and the hostnames listed in
the file, if more than one, are assumed to be in priority order so
they're not randomized.)
So if you're getting random or rotating ordering of address records
returned, then with one server (address) of four unreachable, one
quarter of the time you should see a delay of a second. If
getaddrinfo() or your DNS cache is being clever and trying to give you
an order optimized for proximity or some such, you may see delays more
often or less often, but the delay should still be no more than a
second. If it is, you could try monitoring the network traffic with
tcpdump and see what it's doing in terms of trying to reach the
various KDCs.
A significantly longer delay should only come up if no KDC is
responding.
(A minor point: You might want to put a dot at the end of the KDC
names in your config file, to prevent the use of domain search paths,
just in case.)
> The book also indicates that setting priorities on the KDCs will
> cause the
> client to try the next highest one if the first is not available,
> but to
> me this implies that there would always be one KDC hit hardest.
That's correct.
> Can the krb5.conf file/SRV record be configued to make the clients
> fallback to one of the other KDCs if the first one tried is not
> available,
> without always favoring the one(s) with the lowest priority numbered
> one?
As noted above, that should be the behavior...
Ken
More information about the Kerberos
mailing list