Bug 500938 - Too many KDCs prevent use of "dns_lookup_kdc = true" in /etc/krb5.conf
Summary: Too many KDCs prevent use of "dns_lookup_kdc = true" in /etc/krb5.conf
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5
Version: 4.7
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-15 00:39 UTC by Stephen P. Schaefer
Modified: 2012-06-20 13:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 13:28:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to allocate sufficient space for a large SRV answer. (2.40 KB, patch)
2009-05-15 00:41 UTC, Stephen P. Schaefer
no flags Details | Diff

Description Stephen P. Schaefer 2009-05-15 00:39:47 UTC
Description of problem:
A large number of KDCs cause "dns_lookup_kdc = true" (the default) to fail.

Version-Release number of selected component (if applicable):
1.3.4-60.el4_7.2

How reproducible:
Always.

Steps to Reproduce:
1. Create a large number of SRV records indicating KDCs for the kerberos domain.
2. The host names should be difficult to compress.
3. In /etc/krb5.conf, in the [libdefaults] section, put the line "dns_lookup_kdc = true"
4. Do not specify any KDC hosts in the [realms] section.
5. Attempt to do a "kinit"
  
Actual results:
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials


Expected results:
Password for user.COM: 


Additional info:
The attached patch corrects the problem.

Comment 1 Stephen P. Schaefer 2009-05-15 00:41:17 UTC
Created attachment 344065 [details]
Patch to allocate sufficient space for a large SRV answer.

Don't know why it didn't attach the first time.

Comment 2 Stephen P. Schaefer 2009-05-18 17:33:10 UTC
Note that this problem can present quite dramatically and mysteriously: your systems are configured for DNS lookup of kdc's and they're all working.  One day, you add the KDC that puts you over the limit, and suddenly all your kerberos authentication starts failing as that last SRV record propagates.

Comment 3 Jiri Pallich 2012-06-20 13:28:27 UTC
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.


Note You need to log in before you can comment on or make changes to this bug.