pause in KLAcquireNewInitialTicketsWithPassword

Alexandra Ellwood lxs at MIT.EDU
Sun Jan 11 12:00:40 EST 2004

>Mac OS X 10.3 client.
>   Our login app (cocoa) was hanging for a long time (roughly 2 
>minutes or so) and when I took a sample from Activity viewer
>this is what I got. This does not happen every time.
>                          281 KLAcquireNewInitialTicketsWithPassword
>                                               281 
>                                                 281 
>                                                   281 __KLRealmHasKerberos4
>                                                     281 
>                                                       281 
>                                                         281 res_search
>                                                           281 res_querydomain
>                                                             281 res_query
>                                                               281 res_send
>                                                                 281 select
>                                                                   281 select
>Any idea what it could be ?

It sounds like a problem with your DNS servers and/or network is 
making DNS SRV record lookups slow (or blocking them entirely and 
causing you to wait for the timeout).  I recommend investigating this 
problem even if you fix the Kerberos case as described below since it 
probably isn't just affecting Kerberos.

>My KDC is configured for Kerberos 5 only. Is there any way to avoid 
>kerberos 4 related calls completely from a client.
>Looked at the __KLRealmHasDNSServiceRecord implementation and it has this line
>  if (__KLPreferencesGetLibDefaultBoolean ("dns_fallback", true)) {
>I am hoping I can set this param somewhere in my config file and 
>avoid the DNS lookup...

Add "dns_fallback = no" to the [libdefaults] section of your 
configuration file.  Note that this will turn off use of DNS to look 
up both krb4 and krb5 realms, so if you may need to add your krb5 
realm config to the configuration file.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list