Skip Menu |
 

Subject: kdc timeouts report wrong error
When attempts to contact the KDC timeout during an AS_REQ, the error
code which is reported is "unable to resolve KDC".

This is reproducible when there is no kdc configuration data in
krb5.conf and DNS SRV records for _kerberos._udp; _kerberos._tcp;
_kerberos-master._udp; and _kerberos-master._tcp exist.

Network trace shows the all DNS SRV records being obtained and AS_REQ
being sent to the server with a AS_REP being returned with an error
condition.
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #2599] clarification requested
Date: Tue, 23 Nov 2004 21:54:18 -0500 (EST)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:

Jeff, Tom Ken and I were a bit confused. You say that you are getting
a response from the KDC in a timeout condition? What is timing outh then?

ALso, you describe the response as an as_rep with an error condition. Do you actually mean krb_err?
This bug was filed during the time that Sam and I were at Microsoft for
the interop testing. We were attempting to configure access from the
MIT client code to obtain tickets from the Windows 2003 Domain Controller.

The krb5.ini file contained an empty realm stanza:

MIT1.LZHUAES.NTTEST.MICROSOFT.COM = {
}

All of the information for the KDC should have been obtained via DNS.
Unfortunately I don't remember all of the details. Attempts to create
a similar situation with WIN.MIT.EDU did not result in a failure. I'm
looking for the network trace on my backup tapes.
Cc: Ken Raeburn <raeburn@mit.edu>, krb5-prs@mit.edu, hartmans@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #2599] kdc timeouts report wrong error
Date: Tue, 30 Nov 2004 15:13:59 -0500
To: rt-comment@krbdev.mit.edu
RT-Send-Cc:
On Nov 30, 2004, at 13:43, Jeffrey Altman via RT wrote:
Show quoted text
> The krb5.ini file contained an empty realm stanza:
>
> MIT1.LZHUAES.NTTEST.MICROSOFT.COM = {
> }
>
> All of the information for the KDC should have been obtained via DNS.

Either I'm consistently entering it wrong, or the data isn't in DNS any
more. I'm getting NXDOMAIN errors.

Ken
Date: Tue, 30 Nov 2004 15:23:42 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
Cc: rt-comment@krbdev.mit.edu, krb5-prs@MIT.EDU
Subject: Re: [krbdev.mit.edu #2599] kdc timeouts report wrong error
RT-Send-Cc:

The domain is private and was only available during the interop
testing performed at Microsoft. I have tried to replicate the problem
with WINDOWS.SECURE-ENDPOINTS.COM and WIN.MIT.EDU unsuccessfully.

I cannot find the capture logs from the interop session. I'm not
sure that they were saved to disk.

- Jeff
Download smime.p7s
application/x-pkcs7-signature 3.1KiB

Message body not shown because it is not plain text.

[jaltman@columbia.edu - Tue Nov 30 15:23:22 2004]:

Show quoted text
>
> The domain is private and was only available during the interop
> testing performed at Microsoft. I have tried to replicate the problem
> with WINDOWS.SECURE-ENDPOINTS.COM and WIN.MIT.EDU unsuccessfully.
>
> I cannot find the capture logs from the interop session. I'm not
> sure that they were saved to disk.
>
> - Jeff
>
>

I have been unable to replicate this with -current and using a test zone
containing a SRV record pointing at a machine which is offline.
Closing this ticket. File as new bug if it resurfaces.