issue with MIT KDC and LDAP DS
raeburn at MIT.EDU
Fri May 22 20:12:38 EDT 2009
On May 22, 2009, at 19:59, Jeffrey Hutzelman wrote:
>>> - Instead of returning an error when there is no connection, the KDC
>>> should probably just drop the request on the floor. This doesn't
>>> sound very friendly, but there is no other way to signal to clients
>>> that they should try another KDC.
>> Shouldn't KDC_ERR_SVC_UNAVAILABLE have that effect? Sending that can
>> let the client know to *immediately* try another KDC, instead of
>> timing out.
> Unfortunately, that error wasn't defined in RFC1510, and there are
> still clients deployed which don't behave that way, and which treat
> _any_ error response from a KDC as that realm's final word on the
> request (particularly, any response at all from a KDC is enough to
> escape send_to_kdc). For example, I don't know if current versions
> of Heimdal handle this correctly, but I know we have clients
> deployed that do not.
According to http://kbalertz.com/962994/Windows-Server-domain-controllers-return-incorrect-error-Kerberos-requests-during-shutdown-process.aspx
the W2003SP2 KDC can return that error code now; presumably more
recent versions can too. So if the clients can't cope with it,
they're going to have problems with more than just these potential
future MIT KDCs.
(And, having the KDC return this when the LDAP server is unavailable
is already an item in our bug database, #5715.)
It is a backwards-incompatible protocol change (if you consider "stop
sending queries after any response" to be part of the original
protocol), but it's already deployed, some time ago.
Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium
More information about the krbdev