Selective kdc discovery
Roland C. Dowdeswell
elric at imrryr.org
Sat Oct 31 08:12:04 EDT 2020
On Sat, Oct 31, 2020 at 01:02:34AM -0400, Greg Hudson wrote:
>
> In the MIT krb5 implementation, they are tried in the order specified,
> with a 1s delay in between. I can't speak to the Java implementation,
> unfortunately.
Last I checked with the Java implementation which is granted a very
long time ago (maybe 2012), they were used in order retrying failures
three times. I think that the default timeout was 30s between each
attempt meaning that it took 90s to reach the second KDC in the
list. And, I think that it would never fail back to TCP unless
the KDC specifically told it that the reply was too big for UDP.
There is a krb5.conf var kdc_timeout, but I think that Java interprets
in in either micro or milliseconds whereas Heimdal uses the same
variable and interprets it in seconds. Some experimentation may
be in order.
These issues may have been fixed, but it is worth testing each of
them because they can cause serious issues if a KDC is unavailable
for any reason.
You can also use the JNI implementation in Java which has the nice
property that you don't have an extra set of Java libs with a
separate set of bugs in your deployment.
--
Roland C. Dowdeswell http://Imrryr.ORG/~elric/
More information about the Kerberos
mailing list