Bug 186377 – Causes DNS storms when Kerberos servers not reachable

Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours

Bug 186377 - Causes DNS storms when Kerberos servers not reachable

Summary:	Causes DNS storms when Kerberos servers not reachable

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	krb5-auth-dialog (Show other bugs)
Sub Component:
Version:	5
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Christopher Aillon
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-03-23 03:56 EST by Nils Philippsen
Modified:	2008-03-11 05:27 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:	f8
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-03-11 05:27:39 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Nils Philippsen 2006-03-23 03:56:43 EST

Description of problem:

When not logged into e.g. the Red Hat internal network via VPN, i.e. the
configured Kerberos servers are not resolvable, having krb5-auth-dialog causes
real DNS storms (several hundred packets per second) which have even caused my
WLAN card to wedge once.

Version-Release number of selected component (if applicable):
krb5-auth-dialog-0.6.cvs20060212-1
krb5-libs-1.4.3-4.1
krb5-workstation-1.4.3-4.1

How reproducible:
Easy

Steps to Reproduce:
1. Have your KRB5 servers not resolvable (e.g. log off the VPN)
2. Have krb5-auth-dialog running
3. Watch your NIC activity light go bonkers and/or run tcpdump/ethereal
  
Actual results:
Will attach about 1 second of "tcpdump -A ... udp port 53", the DNS server will
not magically know about those servers, even if asked a million times ;-)

Expected results:
Should determine when they're not resolvable/reachable and perhaps only try once
a minute or so.

Additional info:

Comment 2 Andrew Duggan 2006-04-05 10:04:18 EDT

Likely the same problem, but I also see that if the krb servers are not
available when the tickets expire and need renewing, krb-auth-dialog goes into a
CPU bound loop and must be killed.

Comment 3 Nils Philippsen 2006-04-05 10:34:03 EDT

Perhaps that would explain why I manually need to use kinit (i.e.
krb5-auth-dialog doesn't ask for a password when the krb servers become
available) once e.g. logging into the VPN (where the KRB servers are).

Comment 4 Fedora Update System 2006-09-14 21:49:17 EDT

krb5-auth-dialog-0.6.cvs20060212-1.1 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 5 petrosyan 2008-03-10 22:35:45 EDT

Fedora Core 5 is no longer maintained. Is this bug still present in Fedora 7 or
Fedora 8?

Comment 6 Nils Philippsen 2008-03-11 05:27:39 EDT

I believe not.

Note You need to log in before you can comment on or make changes to this bug.