ping for kdc utility?

[Wang Shouhua]

On 2 April 2014 22:01, Tom Yu <tlyu at mit.edu> wrote:
> Wang Shouhua <shouhuaw at gmail.com> writes:
>
>> On 2 April 2014 21:46, Benjamin Kaduk <kaduk at mit.edu> wrote:
>>> On Wed, 2 Apr 2014, Wang Shouhua wrote:
>>>
>>>> Is there such an utility which can issue a "ping" (null command) to
>>>> the kdc to see if it is still responding?
>>>
>>>
>>> I'm not aware of a dedicated utility.  However, the KDC is basically a
>>> stateless UDP service, so recording a live transaction and replaying an
>>> input packet is expected to yield some sort of response packet.  Doing this
>>> periodically allows for a very primitive "liveness check" which can be used
>>> in some monitoring setups.  Of course, if one wants to monitor that the KDC
>>> is actually functioning properly and not just spewing error packets, more
>>> effort is required.
>>
>> Does the Kerberos5 core protocol have a 'null' operation?
>
> It does not, unless you count correctly formatted yet invalid KDC-REQs
> that can elicit KRB-ERROR messages.  If you don't count that, could
> you describe why having a null operation is important for your
> purposes?

To see if the KDC is still 'alive and kicking'. Apparently some
students-as-admins here spend the night trying to find a problem in
our Kerberos setup the whole night and they are very exhausted. The
problem turned out to be a switch/firewall problem which caused the
KDC to stop processing requests after some time, something which could
have been diagnosed much earlier using a dedicated utility.

Wang
-- 
Wang Shouhua - shouhuaw at gmail.com
ÖлªÈËÃñ¹²ºÍ¹ú¿Æѧ¼¼Êõ²¿ - HTTP://WWW.MOST.GOV.CN