Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Jan 2003 04:43:38 +0100
From:      Peter Much <pmc@citylink.dinoex.sub.org>
To:        questions@freebsd.org
Subject:   Kerb.5 login hangs when uplink (internet) is down
Message-ID:  <20030101044338.A1197@disp.oper.dinoex.org>

Next in thread | Raw E-Mail | Index | Archive | Help
This one is mostly for the records, as I recently had to fix it.

If you 
 - run the Kerberos5 kdc as distributed with FreeBSD (4.4, maybe
   others as well), 
 - and have DNS nameservice running 
 - and DNS configured to access the root-nameservers of the 
   internet (or some equivalent configuration),
then everything may work well until someday the internet connection
(or your equivalent uplink to your root-nameserver) is not active.
And then suddenly no kerberized login at all will work anymore.

Although you usually should not need that uplink for production 
(because all the host data for your site and kerberos realm should
be kept in local nameservers or other means), you might experience
quite an inconvenience by this effect.

The point hereby is: the kerberos system tends to do requests
to the nameserver asking for the TXT record for 
krb5-realm.localhost. and _kerberos.localhost., as there is the
option to do kerberos configuration in that way.

But in cases these records do not exist - because there is no
nameserver map at all for a domain .localhost - and then the 
local nameserver will not know about them and will propagate
the query up to the root-nameserver, likely to get the 
authoritative answer that these records do not exist. And 
kerberos will be satisfied by this and continue without them.

Now when the root-nameservers are not reachable, then the local
nameserver does not know if these records might exist somewhere
or not - and it will tell so to kerberos (aka "server failed").
This is not considered satisfying by kerberos, so it will stall
the login process and ask the nameserver every 40 secs. again 
and again if the connection has come back.

To get rid of this, just make your local nameserver authoritative
about it, i.e. configure an empty zone file for domain localhost.

Comments by nameserver experts? Is this a suitable approach?

rgds,
PMc

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030101044338.A1197>