[32064] in Kerberos
KDC name resolution question
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sun Feb 21 13:51:58 2010
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sun, 21 Feb 2010 17:28:12 -0000
Message-ID: <hlrqg2$2uo$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
environment has 23 AD servers for the domain. Everything is resiliently
setup with 3 DNS servers. I now observe that when the first DNS server
fails a kinit takes 80 seconds or more. Some application using Kerberos via
pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would
be the best way to configure the clients to reduce the authentication time ?
When I only configure 3 servers with DNS names in krb5.conf I still get 20
seconds delays. A simple DNS lookup is about a second (e.g. it detects very
quickly the second working DNS server)
Is the same DNS resolution method used in the newer Kerberos releases (I
couldn't check yet) ?
Thank you
Markus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
