Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Avoiding intermittent failures with multiple KDC entries in krb5.conf
1,558 views
Skip to first unread message
Kieran O'Loughlin
Dec 12, 2017, 8:34:45 AM12/12/17
to
Hi,
I'm an administrator at a large organization of an application that uses Kerberos for authentication purposes. The organization uses Microsoft Active Directory and has over 100 Domain Controllers worldwide.
We initially configured the krb5.conf file with a single kdc entry similar to the following:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = example.com
}
In our DNS "example.com" resolves to a list of IP addresses for all of the Active Directory kdcs.
With this configuration we found we would get intermittent failures, when an authentication request to a particular kdc failed for some reason, e.g. that kdc was down. It did not retry the request to another kdc.
We changed our configuration to be something like the following, with each kdc entry pointing to an individual Active Directory server:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = kdc1.example.com
kdc = kdc2.example.com
.
.
.
kdc = kdcn.example.com
}
This works much better for us. It seems that the Kerberos libraries automatically retry requests to the next kdc in the list for some types of failures.
The disadvantage of this is that maintaining this list of kdc servers in the krb5.conf file is a maintenance chore. The organization changes kdc servers on a fairly regular basis and we don't get notifications when there is a change.
I'd like to change the krb5.conf file to look like this:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = example.com
kdc = example.com
.
.
.
kdc = example.com
}
For this to work the Kerberos libraries would have to resolve "example.com" each time after a failure so that the next attempt to contact "example.com" could be to a different IP address. For example if "example.com" resolves to 10.0.0.1 in the first attempt, and that server happens to be down, then in order for it to succeed on the second attempt the libraries would need to resolve "example.com" again, get a different response this time, say 10.0.0.2 and make its second attempt to that IP address.
Does anyone know if it will work this way, or if we need to continue to specify the individual Active Directory servers?
Thanks for your help,
Kieran.
I'm an administrator at a large organization of an application that uses Kerberos for authentication purposes. The organization uses Microsoft Active Directory and has over 100 Domain Controllers worldwide.
We initially configured the krb5.conf file with a single kdc entry similar to the following:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = example.com
}
In our DNS "example.com" resolves to a list of IP addresses for all of the Active Directory kdcs.
With this configuration we found we would get intermittent failures, when an authentication request to a particular kdc failed for some reason, e.g. that kdc was down. It did not retry the request to another kdc.
We changed our configuration to be something like the following, with each kdc entry pointing to an individual Active Directory server:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = kdc1.example.com
kdc = kdc2.example.com
.
.
.
kdc = kdcn.example.com
}
This works much better for us. It seems that the Kerberos libraries automatically retry requests to the next kdc in the list for some types of failures.
The disadvantage of this is that maintaining this list of kdc servers in the krb5.conf file is a maintenance chore. The organization changes kdc servers on a fairly regular basis and we don't get notifications when there is a change.
I'd like to change the krb5.conf file to look like this:
[realms]
EXAMPLE.COM = {
admin_server = example.com
kdc = example.com
kdc = example.com
.
.
.
kdc = example.com
}
For this to work the Kerberos libraries would have to resolve "example.com" each time after a failure so that the next attempt to contact "example.com" could be to a different IP address. For example if "example.com" resolves to 10.0.0.1 in the first attempt, and that server happens to be down, then in order for it to succeed on the second attempt the libraries would need to resolve "example.com" again, get a different response this time, say 10.0.0.2 and make its second attempt to that IP address.
Does anyone know if it will work this way, or if we need to continue to specify the individual Active Directory servers?
Thanks for your help,
Kieran.
0 new messages