[krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Apr 20 00:57:54 EDT 2017
For TCP connections (without a proxy), if the KDC accepts the
connection, we wait ten seconds before falling back to a different
server. Our intent was that this logic should also apply to TCP
connections using a proxy, but it doesn't (because
sendto_kdc.c:get_endtime() ignores connection state objects where state-
>addr.transport != TCP). We can't fix that.
(For UDP, we have to retry pretty quickly because, unlike TCP, we get no
indication that the KDC is alive and listening and got our request until
it generates a response. So UDP is incompatible with this kind of OTP
deployment and there isn't really a good way around it without extending
the protocol.)
More information about the krb5-bugs
mailing list