Off-Topic, was: SASL/GSSAPI bind in LDAP plugin?

Nicolas Williams Nicolas.Williams at
Fri Feb 17 18:01:47 EST 2006

On Fri, Feb 17, 2006 at 02:53:51PM -0800, Henry B. Hotz wrote:
> On Feb 17, 2006, at 2:07 PM, Andrew Bartlett wrote:
> >The 'bug' is that when Heimdal's LDAP server goes away, things fail  
> >into
> >an 'authoritative user not found' state.  That is, I have a KDC  
> >assuring
> >the rest of the network that it knows the user doesn't exist.
> >
> >I looked at fixing it, and found that in that codebase,  
> >communicating an
> >error that would make the client try again (hopefully to a KDC with a
> >working backend) was really hard.  I just tried to fix the issue that
> >was causing my (local) LDAP server to crash.
> I've gotten into that situation from a completely different cause.   
> (Bug in DB access locking code.)  Having the KDC authoritatively say  
> something wrong is, er, wrong.

Unless the KDC is right, but in this case it's wrong :)

> Is there a Kerberos error that could be returned that would cause  
> clients to try a different KDC?  (Other than simply not responding at  
> all that is.)


But it's generally not supported, I'm guessing.


More information about the krbdev mailing list