Problem with Active Directory, pam_krb5 when a domain controller is shutting down
Howard Wilkinson
howard at cohtech.com
Sun Nov 16 12:21:03 EST 2008
I am fairly sure that this is a Microsoft issue, but I am looking for a
work round in the kerberos library.
I have a site where one of the domain controllers is also running an
Exchange 2003 instance. The controller takes about 20 minutes to shut
down, but from the time when the shutdown is requested until almost the
last second before the machine restarts the KDC on the machine continues
to respond to requests. However, it responds with
'krb5kdc_err_c_principal_unknown' to all users. This causes pam_krb5 to
error out and refuse to log in any users until the KDC has gone away,
when the library fails over to an alternative domain controller and
everything works as it is supposed to.
I have read my way down into the kerberos library - got as far as the
krb5_get_init_creds code and got stuck working out how the KDC get
selected and whether it would be possible to get the library to try more
than one KDC! So I am now calling for advice.
Has anybody else seen this, have had no luck googling for this so am not
thinking about it the same way as anybody else who has!
Does anybody have any suggestions as to how to work round this problem -
without getting Microsoft to fix their end which is a long term battle!
Is this a library issue or should I be looking at the pam_krb5 code to
specify which KDC's to use?
Regards, Howard.
More information about the Kerberos
mailing list