KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4

Russ Allbery rra at stanford.edu
Fri Nov 18 16:13:15 EST 2011


Tom Parker <tparker at cbnco.com> writes:

> Good Afternoon.

> I have two KDCs and my DNS servers are pointing to both of them with 
> equal weight.   Both KDCs are running 1.9.1.

> _kerberos._udp          IN SRV  10 0 88 <server 1>
> _kerberos._udp          IN SRV  10 0 88 <server 2>

> We are using Russ's pam-krb5 module version 4.4 compiled against krb
> 1.8.3.

> The problem I have is that if I update my client from 1.8.3 to 1.9.1 my
> High Availability breaks.  A 1.9.1 client will not successfully
> authenticate if one of my KDCs is down.  My 1.8.3 clients work fine.

Just to double-check, you don't set dns_lookup_kdc to false in your
krb5.conf file, do you?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list