Problem with Active Directory, pam_krb5 when a domain controller is shutting down

[Howard Wilkinson]

I am fairly sure that this is a Microsoft issue, but I am looking for a 
work round in the kerberos library.

I have a site where one of the domain controllers is also running an 
Exchange 2003 instance. The controller takes about 20 minutes to shut 
down, but from the time when the shutdown is requested until almost the 
last second before the machine restarts the KDC on the machine continues 
to respond to requests. However, it responds with 
'krb5kdc_err_c_principal_unknown' to all users. This causes pam_krb5 to 
error out and refuse to log in any users until the KDC has gone away, 
when the library fails over to an alternative domain controller and 
everything works as it is supposed to.

I have read my way down into the kerberos library - got as far as the 
krb5_get_init_creds code and got stuck working out how the KDC get 
selected and whether it would be possible to get the library to try more 
than one KDC! So I am now calling for advice.

Has anybody else seen this, have had no luck googling for this so am not 
thinking about it the same way as anybody else who has!

Does anybody have any suggestions as to how to work round this problem - 
without getting Microsoft to fix their end which is a long term battle!

Is this a library issue or should I be looking at the pam_krb5 code to 
specify which KDC's to use?

Regards, Howard.