disabling krb524d attempts - causes login hangs
Ken Raeburn
raeburn at MIT.EDU
Fri Dec 19 09:52:09 EST 2008
On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote:
> Hi, a recent campus firewall change has caused user's kerberos
> logins to hang on
> this system. The problem has been isolated to a krb524 attempt
> (which used to
> swiftly fail - but now tries for 60-90 seconds before failing).
My guess is the old firewall configuration would generate port-
unreachable errors (or let the packets through so that the KDC could
send them), which would cause an immediate failure, and now the client
just waits for a response and sees nothing.
> How can we explicitly disable the krb524 communication attempt
> (campus does not
> run that service)
1) Make the port-unreachable messages come back, or
2) Create SRV records for _krb524._udp.REALM listing a host name of
"." (which means "service not available", as opposed to having no SRV
records which means "no information")
Ken
More information about the Kerberos
mailing list