Problem with Active Directory, pam_krb5 when a domain controller is shutting down

Richard E. Silverman res at qoxp.net
Sun Nov 16 13:34:51 EST 2008 

>>>>> "HW" == Howard Wilkinson <howard at cohtech.com> writes:

    HW> I am fairly sure that this is a Microsoft issue, but I am looking
    HW> for a work round in the kerberos library.

    HW> I have a site where one of the domain controllers is also running
    HW> an Exchange 2003 instance. The controller takes about 20 minutes
    HW> to shut down, but from the time when the shutdown is requested
    HW> until almost the last second before the machine restarts the KDC
    HW> on the machine continues to respond to requests. However, it
    HW> responds with krb5kdc_err_c_principal_unknown' to all users. This
    HW> causes pam_krb5 to error out and refuse to log in any users until
    HW> the KDC has gone away, when the library fails over to an
    HW> alternative domain controller and everything works as it is
    HW> supposed to.

    HW> I have read my way down into the kerberos library - got as far as
    HW> the krb5_get_init_creds code and got stuck working out how the KDC
    HW> get selected and whether it would be possible to get the library
    HW> to try more than one KDC! So I am now calling for advice.

I wouldn't want to do that -- it's like having a DNS resolver try another
nameserver if the first one returns NXDOMAIN.  "No such principal" is an
authoritative response.

    HW> Has anybody else seen this, have had no luck googling for this so
    HW> am not thinking about it the same way as anybody else who has!

    HW> Does anybody have any suggestions as to how to work round this
    HW> problem - without getting Microsoft to fix their end which is a
    HW> long term battle!

    HW> Is this a library issue or should I be looking at the pam_krb5
    HW> code to specify which KDC's to use?

Two suggestions:

* When you shut down the domain controller, manually shut down the KDC
  service first.

* If that's not feasible, then force the Kerberos libraries to use the
  alternative domain controller, either by pushing out a new krb5.conf
  file, or removing the first DC from the DNS SRV records for the realm.

    HW> Regards, Howard.

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list