timeout period for failed kdc in /etc/krb5.conf

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

timeout period for failed kdc in /etc/krb5.conf

Chris H-2
hi.
i'm using the MIT kerberos implementation 1.4.1 to connect samba to
active directory, as a lot of other people would be too. i have no
problems with this - it seems to work beautifully!

my question is, how nicely would it work if the domain-controller i've
specified as the KDC in my /etc/krb5.conf happens to die?
i've specified two KDCs actually:

[realms]
BLAH.BLAH.COM = {
default_domain = BLAH.BLAH.COM
kdc = 1.2.3.4
kdc = 1.2.3.5
}

if the first kdc is down, or even worse (up but malfunctioning), will
every request take longer because it's waiting for a timeout on the
first kdc?

can i specify any more options or even some nice form of loadbalancing
here?

i should be able to at least!?

and no i don't use DNS, for reasons out of my control.

Chris

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: timeout period for failed kdc in /etc/krb5.conf

Kenneth G Raeburn
On Jun 9, 2005, at 11:47, Chris H wrote:
> i'm using the MIT kerberos implementation 1.4.1 to connect samba to
> active directory, as a lot of other people would be too. i have no
> problems with this - it seems to work beautifully!

That's great news.

> if the first kdc is down, or even worse (up but malfunctioning), will
> every request take longer because it's waiting for a timeout on the
> first kdc?

If the client gets back some kind of connection-refused indication, it
will immediately move on to the next KDC in the list.  If it sees no
response at all, it does wait a little (one second, I think) before
moving on to the next KDC.  So, yes, there's a delay, though it
shouldn't be large.

> can i specify any more options or even some nice form of loadbalancing
> here?

I'm afraid not, in the current version, unless you do it through DNS
(SRV records, or one KDC with multiple A records), which you say you
can't... :-(

Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos