pause in KLAcquireNewInitialTicketsWithPassword
Alexandra Ellwood
lxs at MIT.EDU
Sun Jan 11 12:00:40 EST 2004
>Mac OS X 10.3 client.
>
> Our login app (cocoa) was hanging for a long time (roughly 2
>minutes or so) and when I took a sample from Activity viewer
>this is what I got. This does not happen every time.
>
>
> 281 KLAcquireNewInitialTicketsWithPassword
> 281
>KLAcquireNewInitialTicketCredentialsWithPassword
> 281
>__KLPrincipalShouldUseKerberos524Protocol
> 281 __KLRealmHasKerberos4
> 281
>__KLRealmHasKerberos4DNSServiceRecord
> 281
>__KLRealmHasDNSServiceRecord
> 281 res_search
> 281 res_querydomain
> 281 res_query
> 281 res_send
> 281 select
> 281 select
>
>Any idea what it could be ?
It sounds like a problem with your DNS servers and/or network is
making DNS SRV record lookups slow (or blocking them entirely and
causing you to wait for the timeout). I recommend investigating this
problem even if you fix the Kerberos case as described below since it
probably isn't just affecting Kerberos.
>My KDC is configured for Kerberos 5 only. Is there any way to avoid
>kerberos 4 related calls completely from a client.
>Looked at the __KLRealmHasDNSServiceRecord implementation and it has this line
> if (__KLPreferencesGetLibDefaultBoolean ("dns_fallback", true)) {
>I am hoping I can set this param somewhere in my config file and
>avoid the DNS lookup...
Add "dns_fallback = no" to the [libdefaults] section of your
configuration file. Note that this will turn off use of DNS to look
up both krb4 and krb5 realms, so if you may need to add your krb5
realm config to the configuration file.
Hope this helps,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list