On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote: > Hi, a recent campus firewall change has caused user's kerberos > logins to hang on > this system. The problem has been isolated to a krb524 attempt > (which used to > swiftly fail - but now tries for 60-90 seconds before failing).
My guess is the old firewall configuration would generate port- unreachable errors (or let the packets through so that the KDC could send them), which would cause an immediate failure, and now the client just waits for a response and sees nothing. > How can we explicitly disable the krb524 communication attempt > (campus does not > run that service) 1) Make the port-unreachable messages come back, or 2) Create SRV records for _krb524._udp.REALM listing a host name of "." (which means "service not available", as opposed to having no SRV records which means "no information") Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos