More than 2 failed master_kdc servers cause errors
Greg Hudson
ghudson at mit.edu
Mon Aug 7 19:06:58 EDT 2017
On 08/07/2017 05:51 PM, pgb205 wrote:
> It seems like kerberos is ok with encountering one failed master_kdc but
> not two or more.
>From the trace output, I think resolving server2 is encountering an
unusual error, which unfortunately manifests as EINVAL ("Invalid
argument") in our code. That error does trigger the fallback to
master_kdc (though with better error handling it would not); during that
fallback, the same error occurs when it hits server2 and is then
reported to the client. If you comment out "master_kdc=server2", then
that server is skipped during the master_kdc fallback and you get an
answer from server3.
The most reliable way to figure out what's going wrong is to step
through the kinit process in a debugger, focusing on resolve_server() in
lib/krb5/os/sendto_kdc.c. That approach will only work well if you
rebuild the code with debugging symbols and without optimization.
If that isn't an easy option, you might be able to get some useful
information with "ltrace -e getaddrinfo kinit ..." to see if
getaddrinfo() is returning an error.
More information about the Kerberos
mailing list