KDC name resolution question
Markus Moeller
huaraz at moeller.plus.com
Sun Feb 21 12:28:12 EST 2010
I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
environment has 23 AD servers for the domain. Everything is resiliently
setup with 3 DNS servers. I now observe that when the first DNS server
fails a kinit takes 80 seconds or more. Some application using Kerberos via
pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would
be the best way to configure the clients to reduce the authentication time ?
When I only configure 3 servers with DNS names in krb5.conf I still get 20
seconds delays. A simple DNS lookup is about a second (e.g. it detects very
quickly the second working DNS server)
Is the same DNS resolution method used in the newer Kerberos releases (I
couldn't check yet) ?
Thank you
Markus
More information about the Kerberos
mailing list