disabling krb524d attempts - causes login hangs

Ken Raeburn raeburn at MIT.EDU
Fri Dec 19 09:52:09 EST 2008


On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote:
> Hi, a recent campus firewall change has caused user's kerberos  
> logins to hang on
> this system.  The problem has been isolated to a krb524 attempt  
> (which used to
> swiftly fail - but now tries for 60-90 seconds before failing).

My guess is the old firewall configuration would generate port- 
unreachable errors (or let the packets through so that the KDC could  
send them), which would cause an immediate failure, and now the client  
just waits for a response and sees nothing.

> How can we explicitly disable the krb524 communication attempt  
> (campus does not
> run that service)

1) Make the port-unreachable messages come back, or

2) Create SRV records for _krb524._udp.REALM listing a host name of  
"." (which means "service not available", as opposed to having no SRV  
records which means "no information")

Ken



More information about the Kerberos mailing list