Facing slowness issue in kerberos authentication.

Greg Hudson ghudson at MIT.EDU
Thu Nov 14 11:56:03 EST 2013

On 11/14/2013 07:00 AM, kannan rbk wrote:
> I am using "kerberos 5" authentication in *Cent Os (6.4)*. I am facing
> slowness issue in kerberos authentication. Here is the trace log of a
> *kinit* operation , It took nearly a minute to authenticate.

Here are the big delays I see in the trace log:

>> [1404] 1384426591.434785: Received answer from dgram
>> [1404] 1384426601.446339: Response was not from master KDC

>> [1404] 1384426601.446454: Received cookie: MIT
>> [1404] 1384426622.457448: AS key obtained for encrypted timestamp:
>> aes256-cts/35B5

>> [1404] 1384426622.494665: Received answer from dgram
>> [1404] 1384426632.506162: Response was not from master KDC

The second delay (20 seconds) was probably waiting for the user to type
the password.  The first and third delays (ten seconds each) are
probably DNS delays looking up the SRV record for _master_kdc to
determine whether the response was from the master KDC.

You can address this by either:

1. Configuring the clients with a master_kdc entry for the realm, so
that the SRV lookups do not happen.

2. Figuring out why the SRV lookups are slow and fixing that.

More information about the Kerberos mailing list