issue with MIT KDC and LDAP DS

Ken Raeburn raeburn at MIT.EDU
Fri May 22 20:12:38 EDT 2009

On May 22, 2009, at 19:59, Jeffrey Hutzelman wrote:
>>> - Instead of returning an error when there is no connection, the KDC
>>> should probably just drop the request on the floor.  This doesn't
>>> sound very friendly, but there is no other way to signal to clients
>>> that they should try another KDC.
>> Shouldn't KDC_ERR_SVC_UNAVAILABLE have that effect?  Sending that can
>> let the client know to *immediately* try another KDC, instead of
>> timing out.
> Unfortunately, that error wasn't defined in RFC1510, and there are  
> still clients deployed which don't behave that way, and which treat  
> _any_ error response from a KDC as that realm's final word on the  
> request (particularly, any response at all from a KDC is enough to  
> escape send_to_kdc).  For example, I don't know if current versions  
> of Heimdal handle this correctly, but I know we have clients  
> deployed that do not.

According to 
  the W2003SP2 KDC can return that error code now; presumably more  
recent versions can too.  So if the clients can't cope with it,  
they're going to have problems with more than just these potential  
future MIT KDCs.

(And, having the KDC return this when the LDAP server is unavailable  
is already an item in our bug database, #5715.)

It is a backwards-incompatible protocol change (if you consider "stop  
sending queries after any response" to be part of the original  
protocol), but it's already deployed, some time ago.

Ken Raeburn / raeburn at / no longer at MIT Kerberos Consortium

More information about the krbdev mailing list