[krbdev.mit.edu #2640] krb5_cc_default() blocks for two minutes when MSLSA and Logon Server Unavailable

Jeffrey Altman via RT rt-comment at krbdev.mit.edu
Mon Jul 19 16:11:07 EDT 2004


If the following conditions are true, Kerberized
applications will not behave well:

  1. the KRB5CCNAME = MSLSA:
  2. the login to Windows is via a Kerberos principal using the cached
     password
  3. no KDCs are reachable

In this circumstance, each call to krb5_cc_default() will generate a TGT
request in an attempt
to determine the principal name associated with the ccache.  Each
attempt will take two minutes
to time out.  The calling application will appear to hang while this
operation is continuing.
Currently there is no error code provided to propagate the
STATUS_NO_LOGON_SERVERS
status returned by the LSA.  Currently an error is returned indicating
that the ccache does not
exist. 


More information about the krb5-bugs mailing list