[30563] in Kerberos
Re: disabling krb524d attempts - causes login hangs
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Fri Dec 19 09:52:19 2008
From: Ken Raeburn <raeburn@mit.edu>
To: Fletcher Cocquyt <fcocquyt@stanford.edu>
In-Reply-To: <loom.20081219T143531-401@post.gmane.org>
Message-Id: <58FDDE96-B3A7-4EF3-96CB-DE522532D57D@mit.edu>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Fri, 19 Dec 2008 09:52:09 -0500
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote:
> Hi, a recent campus firewall change has caused user's kerberos
> logins to hang on
> this system. The problem has been isolated to a krb524 attempt
> (which used to
> swiftly fail - but now tries for 60-90 seconds before failing).
My guess is the old firewall configuration would generate port-
unreachable errors (or let the packets through so that the KDC could
send them), which would cause an immediate failure, and now the client
just waits for a response and sees nothing.
> How can we explicitly disable the krb524 communication attempt
> (campus does not
> run that service)
1) Make the port-unreachable messages come back, or
2) Create SRV records for _krb524._udp.REALM listing a host name of
"." (which means "service not available", as opposed to having no SRV
records which means "no information")
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
