KDC and full disk problem

Tim Colles timc at inf.ed.ac.uk
Thu May 27 10:12:57 EDT 2004

We noticed a problem recently which seems quite severe. Basically what
happened was that the free disk space on our KDC filled up (with log
files etc.) to 100%. However, the KDC continued to respond to incoming
authentication requests and returned what we assume to be some kind of
corrupted responses. This prevented logins on all of our 1000+ machines
(including the KDC itself). To solve this problem when we first hit it
meant disconnecting the KDC from the network so that authentication
requests were forced to fallback to the slaves so that we could then
login to find out what was going on and clear space on the KDC. When
we had the exact same situation happen again a few weeks later we put
in place a script that monitors the disk space on the KDC and clears
it if it gets too close for comfort.

So - is this the behaviour that would be expected, ie. if the KDC has
taken the connection for authentication it cannot then bounce it back
to a slave if it decides there is not enough free space to process the
request? Does it even check free space in these circumstances (there
were no indicative error messages in the logs)? We suspect it might be
because of the space used for the replay cache but turning that off does
not seem like a good idea.

We would appreciate any comment on this issue, we are using Redhat9 with
a 2.4.20 kernel and v1.2.8 of kerberos currently.


More information about the krbdev mailing list