Off-Topic, was: SASL/GSSAPI bind in LDAP plugin?
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 17 18:01:47 EST 2006
On Fri, Feb 17, 2006 at 02:53:51PM -0800, Henry B. Hotz wrote:
>
> On Feb 17, 2006, at 2:07 PM, Andrew Bartlett wrote:
>
> >The 'bug' is that when Heimdal's LDAP server goes away, things fail
> >into
> >an 'authoritative user not found' state. That is, I have a KDC
> >assuring
> >the rest of the network that it knows the user doesn't exist.
> >
> >I looked at fixing it, and found that in that codebase,
> >communicating an
> >error that would make the client try again (hopefully to a KDC with a
> >working backend) was really hard. I just tried to fix the issue that
> >was causing my (local) LDAP server to crash.
>
> I've gotten into that situation from a completely different cause.
> (Bug in DB access locking code.) Having the KDC authoritatively say
> something wrong is, er, wrong.
Unless the KDC is right, but in this case it's wrong :)
> Is there a Kerberos error that could be returned that would cause
> clients to try a different KDC? (Other than simply not responding at
> all that is.)
KDC_ERR_SVC_UNAVAILABLE (29)
But it's generally not supported, I'm guessing.
Nico
--
More information about the krbdev
mailing list