Red Hat Bugzilla – Bug 500938
Too many KDCs prevent use of "dns_lookup_kdc = true" in /etc/krb5.conf
Last modified: 2012-06-20 09:28:27 EDT
Description of problem:
A large number of KDCs cause "dns_lookup_kdc = true" (the default) to fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a large number of SRV records indicating KDCs for the kerberos domain.
2. The host names should be difficult to compress.
3. In /etc/krb5.conf, in the [libdefaults] section, put the line "dns_lookup_kdc = true"
4. Do not specify any KDC hosts in the [realms] section.
5. Attempt to do a "kinit"
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Password for user@INTERNAL.EXAMPLE.COM:
The attached patch corrects the problem.
Created attachment 344065 [details]
Patch to allocate sufficient space for a large SRV answer.
Don't know why it didn't attach the first time.
Note that this problem can present quite dramatically and mysteriously: your systems are configured for DNS lookup of kdc's and they're all working. One day, you add the KDC that puts you over the limit, and suddenly all your kerberos authentication starts failing as that last SRV record propagates.
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life.
Please See https://access.redhat.com/support/policy/updates/errata/
If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.