Bug 186377

Summary: Causes DNS storms when Kerberos servers not reachable
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: krb5-auth-dialogAssignee: Christopher Aillon <caillon>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: lists
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: f8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-11 09:27:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2006-03-23 08:56:43 UTC 
Description of problem:

When not logged into e.g. the Red Hat internal network via VPN, i.e. the
configured Kerberos servers are not resolvable, having krb5-auth-dialog causes
real DNS storms (several hundred packets per second) which have even caused my
WLAN card to wedge once.

Version-Release number of selected component (if applicable):
krb5-auth-dialog-0.6.cvs20060212-1
krb5-libs-1.4.3-4.1
krb5-workstation-1.4.3-4.1

How reproducible:
Easy

Steps to Reproduce:
1. Have your KRB5 servers not resolvable (e.g. log off the VPN)
2. Have krb5-auth-dialog running
3. Watch your NIC activity light go bonkers and/or run tcpdump/ethereal
  
Actual results:
Will attach about 1 second of "tcpdump -A ... udp port 53", the DNS server will
not magically know about those servers, even if asked a million times ;-)

Expected results:
Should determine when they're not resolvable/reachable and perhaps only try once
a minute or so.

Additional info:
Comment 2 Andrew Duggan 2006-04-05 14:04:18 UTC 
Likely the same problem, but I also see that if the krb servers are not
available when the tickets expire and need renewing, krb-auth-dialog goes into a
CPU bound loop and must be killed.
Comment 3 Nils Philippsen 2006-04-05 14:34:03 UTC 
Perhaps that would explain why I manually need to use kinit (i.e.
krb5-auth-dialog doesn't ask for a password when the krb servers become
available) once e.g. logging into the VPN (where the KRB servers are).
Comment 4 Fedora Update System 2006-09-15 01:49:17 UTC 
krb5-auth-dialog-0.6.cvs20060212-1.1 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 5 petrosyan 2008-03-11 02:35:45 UTC 
Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or
Fedora 8?
Comment 6 Nils Philippsen 2008-03-11 09:27:39 UTC 
I believe not.