Off-Topic, was: SASL/GSSAPI bind in LDAP plugin?

Henry B. Hotz hotz at
Fri Feb 17 17:53:51 EST 2006

On Feb 17, 2006, at 2:07 PM, Andrew Bartlett wrote:

> The 'bug' is that when Heimdal's LDAP server goes away, things fail  
> into
> an 'authoritative user not found' state.  That is, I have a KDC  
> assuring
> the rest of the network that it knows the user doesn't exist.
> I looked at fixing it, and found that in that codebase,  
> communicating an
> error that would make the client try again (hopefully to a KDC with a
> working backend) was really hard.  I just tried to fix the issue that
> was causing my (local) LDAP server to crash.

I've gotten into that situation from a completely different cause.   
(Bug in DB access locking code.)  Having the KDC authoritatively say  
something wrong is, er, wrong.

Is there a Kerberos error that could be returned that would cause  
clients to try a different KDC?  (Other than simply not responding at  
all that is.)

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list