KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4

Tom Parker tparker at cbnco.com
Fri Nov 18 14:17:57 EST 2011


Good Afternoon.

I have two KDCs and my DNS servers are pointing to both of them with 
equal weight.   Both KDCs are running 1.9.1.

_kerberos._udp          IN SRV  10 0 88 <server 1>
_kerberos._udp          IN SRV  10 0 88 <server 2>

We are using Russ's pam-krb5 module version 4.4 compiled against krb 1.8.3.

The problem I have is that if I update my client from 1.8.3 to 1.9.1 my 
High Availability breaks.  A 1.9.1 client will not successfully 
authenticate if one of my KDCs is down.  My 1.8.3 clients work fine.

With both KDCs running they seem to split the work between them with 
some messages coming from one and some from the other.

/var/log/krb5/krb5kdc.log:
Nov 18 14:07:28 *server1* krb5kdc[3412](info): AS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: NEEDED_PREAUTH: tparker at LS.CBN for 
krbtgt/LS.CBN at LS.CBN, Additional pre-authentication required
Nov 18 14:07:28 *server2* krb5kdc[4044](info): AS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18 
ses=18}, tparker at LS.CBN for krbtgt/LS.CBN at LS.CBN
Nov 18 14:07:28 *server2* krb5kdc[4044](info): TGS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18 
ses=18}, tparker at LS.CBN for host/arudrdb.ls.cbn at LS.CBN

With one KDC shut down (krb5kdc stopped), the remaining KDC gets either 
one or two of the requests but never sends the TGS.  When doing a TCP 
dump the TGS request seems to go to the failed KDC and is not retried.

Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16 
23}) 172.20.23.20: NEEDED_PREAUTH: tparker at LS.CBN for 
krbtgt/LS.CBN at LS.CBN, Additional pre-authentication required
Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16 
23}) 172.20.23.20: ISSUE: authtime 1321643610, etypes {rep=18 tkt=18 
ses=18}, tparker at LS.CBN for krbtgt/LS.CBN at LS.CBN

/var/log/messages:
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth): 
pam_sm_authenticate: entry (0x1)
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth): (user 
tparker at LS.CBN) attempting authentication as tparker at LS.CBN
... Nothing else is logged here.

Is this a regression in krb 1.9.1 (has it been fixed in 1.9.2.  This is 
not yet available in the SLES build service) or is something else going on?

Thanks

Tom Parker



More information about the Kerberos mailing list