Selective kdc discovery

Paul B. Henson henson at
Thu Nov 5 01:10:25 EST 2020

On Sat, Oct 31, 2020 at 12:12:04PM +0000, Roland C. Dowdeswell wrote:

> Last I checked with the Java implementation which is granted a very
> long time ago (maybe 2012), they were used in order retrying failures
> three times.  I think that the default timeout was 30s between each
> attempt meaning that it took 90s to reach the second KDC in the
> list.

That does still appear to be the default based on empirical testing.

> There is a krb5.conf var kdc_timeout, but I think that Java interprets
> in in either micro or milliseconds whereas Heimdal uses the same
> variable and interprets it in seconds.  Some experimentation may
> be in order.

Yep, a value of 5000 for kdc_timeout for kdc timeout makes it wait 5
seconds. It also appears to respect the max_retries parameter.

> You can also use the JNI implementation in Java which has the nice
> property that you don't have an extra set of Java libs with a
> separate set of bugs in your deployment.

It's not my app, it's the shibboleth idp which uses the built in java
kerberos implementation.

I guess I'm going to have to figure out a way to give the two locations
different views of the DNS SRV records giving higher priority to the
local servers. And see if the java implementation even implements the
priority component of the record <sigh>.

Thanks for the info...

More information about the Kerberos mailing list