[30457] in Kerberos
Re: Problem with Active Directory,
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Sun Nov 16 14:49:02 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Sun, 16 Nov 2008 13:34:51 -0500
Message-ID: <m23ahrplis.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>>>>> "HW" == Howard Wilkinson <howard@cohtech.com> writes:
HW> I am fairly sure that this is a Microsoft issue, but I am looking
HW> for a work round in the kerberos library.
HW> I have a site where one of the domain controllers is also running
HW> an Exchange 2003 instance. The controller takes about 20 minutes
HW> to shut down, but from the time when the shutdown is requested
HW> until almost the last second before the machine restarts the KDC
HW> on the machine continues to respond to requests. However, it
HW> responds with krb5kdc_err_c_principal_unknown' to all users. This
HW> causes pam_krb5 to error out and refuse to log in any users until
HW> the KDC has gone away, when the library fails over to an
HW> alternative domain controller and everything works as it is
HW> supposed to.
HW> I have read my way down into the kerberos library - got as far as
HW> the krb5_get_init_creds code and got stuck working out how the KDC
HW> get selected and whether it would be possible to get the library
HW> to try more than one KDC! So I am now calling for advice.
I wouldn't want to do that -- it's like having a DNS resolver try another
nameserver if the first one returns NXDOMAIN. "No such principal" is an
authoritative response.
HW> Has anybody else seen this, have had no luck googling for this so
HW> am not thinking about it the same way as anybody else who has!
HW> Does anybody have any suggestions as to how to work round this
HW> problem - without getting Microsoft to fix their end which is a
HW> long term battle!
HW> Is this a library issue or should I be looking at the pam_krb5
HW> code to specify which KDC's to use?
Two suggestions:
* When you shut down the domain controller, manually shut down the KDC
service first.
* If that's not feasible, then force the Kerberos libraries to use the
alternative domain controller, either by pushing out a new krb5.conf
file, or removing the first DC from the DNS SRV records for the realm.
HW> Regards, Howard.
--
Richard Silverman
res@qoxp.net
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
