On Thu, May 21, 2009 at 8:13 PM, Ken Raeburn <raeb...@mit.edu> wrote:
>> Why does every kerberos call need to lookup every kdc in the config >> file, and not just the server which is going to be queried, and is >> this configurable? > > It's not going to only talk to one of them; it'll go through the list > repeatedly, trying each until it gets an answer, or times out. Again, > it's a matter of the structure of the code -- we get a list of > addresses and then loop over the list. We could restructure it to > look up the address when first needed, i.e., the first time we try to > reach each server, but that'll add complexity to already complicated > routines I maintain a rather large site, where there are more than a dozen KDCs across different locations. Recently, I configured Windows 2003-R2/AD as the central source of authentication for lot of Linux and Unix servers. The issue I'm facing here is the user logons are really slow. Capturing network traffic and looking at it, reveals the above behavior. Now, can you please help me understand what you mean by "going through list repeatedly"? Does this mean the querying is done simultaneously to several KDCs in parallel? Also, we dont use SRV/TXT for kdc/realm identification in DNS and I dont explicitly specify the dns_lookup in the krb5.conf. In this context the dns_fallback automatically gets enabled, I'm thinking. What is the consequence of dns_fallback defaulting to yes? Excellent information BTW... ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
