KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4
Tom Parker
tparker at cbnco.com
Fri Nov 18 14:17:57 EST 2011
Good Afternoon.
I have two KDCs and my DNS servers are pointing to both of them with
equal weight. Both KDCs are running 1.9.1.
_kerberos._udp IN SRV 10 0 88 <server 1>
_kerberos._udp IN SRV 10 0 88 <server 2>
We are using Russ's pam-krb5 module version 4.4 compiled against krb 1.8.3.
The problem I have is that if I update my client from 1.8.3 to 1.9.1 my
High Availability breaks. A 1.9.1 client will not successfully
authenticate if one of my KDCs is down. My 1.8.3 clients work fine.
With both KDCs running they seem to split the work between them with
some messages coming from one and some from the other.
/var/log/krb5/krb5kdc.log:
Nov 18 14:07:28 *server1* krb5kdc[3412](info): AS_REQ (4 etypes {18 17
16 23}) 172.20.23.22: NEEDED_PREAUTH: tparker at LS.CBN for
krbtgt/LS.CBN at LS.CBN, Additional pre-authentication required
Nov 18 14:07:28 *server2* krb5kdc[4044](info): AS_REQ (4 etypes {18 17
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18
ses=18}, tparker at LS.CBN for krbtgt/LS.CBN at LS.CBN
Nov 18 14:07:28 *server2* krb5kdc[4044](info): TGS_REQ (4 etypes {18 17
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18
ses=18}, tparker at LS.CBN for host/arudrdb.ls.cbn at LS.CBN
With one KDC shut down (krb5kdc stopped), the remaining KDC gets either
one or two of the requests but never sends the TGS. When doing a TCP
dump the TGS request seems to go to the failed KDC and is not retried.
Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16
23}) 172.20.23.20: NEEDED_PREAUTH: tparker at LS.CBN for
krbtgt/LS.CBN at LS.CBN, Additional pre-authentication required
Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16
23}) 172.20.23.20: ISSUE: authtime 1321643610, etypes {rep=18 tkt=18
ses=18}, tparker at LS.CBN for krbtgt/LS.CBN at LS.CBN
/var/log/messages:
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth):
pam_sm_authenticate: entry (0x1)
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth): (user
tparker at LS.CBN) attempting authentication as tparker at LS.CBN
... Nothing else is logged here.
Is this a regression in krb 1.9.1 (has it been fixed in 1.9.2. This is
not yet available in the SLES build service) or is something else going on?
Thanks
Tom Parker
More information about the Kerberos
mailing list