We have been using NOTGS as a simple way to temporarily disable an account so it can later be enabled by flipping a bit (rather then changing the password, etc). It turns out that when NOTGS is set and a tgt request comes in on the MIT/Kerberos UDP port, the kaserver will DROP the packet rather then returning an error. This has the undesirable consequence of causing the client to retry each server in krb.conf and eventually timeout. This behavior was also verified using a sniffer. It looks like the problem can fixed in kauth/krb_udp.c by sending an error packet back instead of dropping the request when NOTGS is set. thanks, Roland -- Roland J. Schemers III | 414 Sweet Hall +1 (415) 723-6740 Principal System Software Developer | Stanford, CA 94305-3090 Distributed Computing Operations | [EMAIL PROTECTED] Stanford University | http://www-leland.stanford.edu/~schemers/
