petesea at bigfoot.com ()
2006-09-18 21:15:41 UTC
My Kerberos admins recently changed all the KDCs in our realm and started
distributing a new standard krb5.conf file. Now... instead of taking < 1
sec to get a password prompt from "kinit", it takes 40-50 secs.
The old file lists 6 KDCs using IP addresses instead of hostnames. The
new file lists 10 KDCs using hostnames... so obviously it has something to
do with DNS.
Using krb5-1.4.4, and running strace on kinit, it appears to be doing
multiple DNS requests for EVERY KDC listed in the krb5.conf file. This
seems to be why it takes so long. In fact... it looks like for 10 KDCs,
"kinit" ends up making 316 DNS requests.
Why does it make so many requests? Why does it make DNS requests for ALL
the KDCs even if the first one returned results. Is this a function of
the kerberos library itself or something else?
I've tried setting the following in krb5.conf, but they don't seem to make
a difference:
dns_lookup_realm = false
dns_lookup_kdc = false
dns_fallback = false
I've also tried 1.4.3 compiled WITHOUT --disable-dns-for-realm and 1.4.4
compiled WITH --disable-dns-for-realm, but that didn't make a difference
either.
PS. The reason I'm concerned about this is because I need to build a new
krb5-1.4.4 package to be distributed to all our developers that contains
the new krb5.conf file. I don't want to get a bunch of users telling me
how slow kinit has become.
distributing a new standard krb5.conf file. Now... instead of taking < 1
sec to get a password prompt from "kinit", it takes 40-50 secs.
The old file lists 6 KDCs using IP addresses instead of hostnames. The
new file lists 10 KDCs using hostnames... so obviously it has something to
do with DNS.
Using krb5-1.4.4, and running strace on kinit, it appears to be doing
multiple DNS requests for EVERY KDC listed in the krb5.conf file. This
seems to be why it takes so long. In fact... it looks like for 10 KDCs,
"kinit" ends up making 316 DNS requests.
Why does it make so many requests? Why does it make DNS requests for ALL
the KDCs even if the first one returned results. Is this a function of
the kerberos library itself or something else?
I've tried setting the following in krb5.conf, but they don't seem to make
a difference:
dns_lookup_realm = false
dns_lookup_kdc = false
dns_fallback = false
I've also tried 1.4.3 compiled WITHOUT --disable-dns-for-realm and 1.4.4
compiled WITH --disable-dns-for-realm, but that didn't make a difference
either.
PS. The reason I'm concerned about this is because I need to build a new
krb5-1.4.4 package to be distributed to all our developers that contains
the new krb5.conf file. I don't want to get a bunch of users telling me
how slow kinit has become.