KDC name resolution question
Markus Moeller
huaraz at moeller.plus.com
Mon Feb 22 15:14:44 EST 2010
"John Washington" <jawashin at illinois.edu> wrote in message
news:20100222022751.GB24883 at kyoto.cites.uiuc.edu...
>* Markus Moeller <huaraz at moeller.plus.com> [2010-02-21 12:55]:
>> I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
>> environment has 23 AD servers for the domain. Everything is resiliently
>> setup with 3 DNS servers. I now observe that when the first DNS server
>> fails a kinit takes 80 seconds or more.
>
> DNS server, or domain controller, or both? Sounds like you may be
> getting double timeouts (DNS timeout then Kerberos timeout). I would
> try to have different orders for DNS servers and kerberos servers if
> they are hosted on the same hardware:
>
No it is only DNS. The DNS server is not the same as the AD server and when
I look at the traffic I don't see any Kerberos traffic for 80 seconds only
DNS traffic.
> DNS:
>
> server1
> server2
> server3
>
> kerberos:
>
> server2
> server3
> server1
>
>> Some application using Kerberos via
>> pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what
>> would
>> be the best way to configure the clients to reduce the authentication
>> time ?
>> When I only configure 3 servers with DNS names in krb5.conf I still get
>> 20
>> seconds delays. A simple DNS lookup is about a second (e.g. it detects
>> very
>> quickly the second working DNS server)
>
> You will always get downtime if there isn't a response back, as both DNS
> and Kerberos will ask in serial to minimize network chatter. 3 servers
> will look the same as 300 if only the primary host is down. Caching DNS
> libraries also alter the behavior for DNS, as the normal DNS downtime may
> have
> been absorbed somewhere else (the library drops the first server after a
> resolution failure), or it may be using a previously seen address.
>
>>
>> Is the same DNS resolution method used in the newer Kerberos releases (I
>> couldn't check yet) ?
>
> DNS is handled by the operating system libraries. This means that
> caching and other behaviors are controlled by your environment.
>
Yes but the Kerberos library has the logic of reverse DNS if I remember
right and it looks like the library does all the DNS before attempting
Kerberos instead of DNS of the first server and try Kerberos and if that
fails do revers lookup of the second server.
>>
>> Thank you
>> Markus
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
> John Washington Network Security Officer,
> University of Illinois Urbana-Champaign
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list