[19801] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Aggressive kinit timeouts

daemon@ATHENA.MIT.EDU (Jonathan Maron)
Tue Aug 7 10:22:08 2018

Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Jonathan Maron <jonathan.maron@oracle.com>
In-Reply-To: <3793b18c-4682-6449-6af3-e97603c9d94b@mit.edu>
Date: Tue, 7 Aug 2018 10:21:41 -0400
Message-Id: <926E48D2-24D9-4098-92D9-67DBB9F64D93@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit



> On Aug 7, 2018, at 10:15 AM, Greg Hudson <ghudson@mit.edu> wrote:
> 
> Please use kerberos@mit.edu for operational questions like this.  For simplicity I will go ahead and answer here.
> 
> On 08/07/2018 06:46 AM, Jonathan Maron wrote:
>>   We have an LDAP realm setup that doesn’t communicate with a local LDAP DB, but rather goes through a number of gateways to access a remote LDAP resource.  This introduces some latency that at times exceeds 1 second.  That appears to be an issue - we often see authentication failures, possibly since the order of responses for repeated AS_REQ may be out of order?  Anyhow, we are definitely seeing auth failures, and the 1 second timeout appears to play a role.
> 
> I'm not sure how out-of-order responses could account for the problem. After one second, the client retransmits or tries a different KDC, but neither request should result in a failure.

Difficult for me to dig any further, but I can see that the elapsed time it greater than a second (sometimes as long as 3 seconds), and the the authentication attempt fails.

> 
>>   We are unfortunately still using version 1.10.  Has this issue been addressed in subsequent versions?  Is the 1 second timeout now configurable?
> 
> It's not configurable, but as of 1.12, if you use TCP, the client waits ten seconds before moving on if the KDC accepts the TCP connection within one second.  You can use "udp_preference_limit = 0" in [libdefaults] to force the initial use of TCP.

That’s helpful.  Thanks!


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post