[krbdev.mit.edu #8580] kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS
Jochen Hein via RT
rt-comment at krbdev.mit.edu
Thu Apr 20 09:46:28 EDT 2017
Hello Greg,
"Greg Hudson via RT" <rt-comment at krbdev.mit.edu> writes:
> For TCP connections (without a proxy), if the KDC accepts the
> connection, we wait ten seconds before falling back to a different
> server. Our intent was that this logic should also apply to TCP
> connections using a proxy, but it doesn't (because
> sendto_kdc.c:get_endtime() ignores connection state objects where state-
>>addr.transport != TCP).
That was what I hoped for, but, unfortunatly:
> We can't fix that.
I've seen that HTTPS seems somewhat bolted on to the TCP transport, so I
hoped to get something similar going.
> (For UDP, we have to retry pretty quickly because, unlike TCP, we get no
> indication that the KDC is alive and listening and got our request until
> it generates a response. So UDP is incompatible with this kind of OTP
> deployment and there isn't really a good way around it without extending
> the protocol.)
Do you see some solution on the horizon? If not, feel free to close the
ticket with "CANTFIX" or "WONTFIX". I'll try to find a configuration to
work around the limitations for me.
Thanks for your quick response.
Jochen
--
This space is intentionally left blank.
More information about the krb5-bugs
mailing list