Skip Menu |
 

Subject: Client waits before moving on after KDC_ERR_SVC_UNAVAILABLE
A KDC error of KDC_ERR_SVC_UNAVAILABLE indicates that the client should
try other KDCs. Right now we do try other KDCs, but only after timing
out on the KDC we received the reply from.

We handle KDC_ERR_SVC_UNAVAILABLE using the msg_handler callback
argument of k5_sendto. When service_fds receives a reply from the
function, it invokes the callback, which decodes the reply as a KRB-
ERROR and returns 1 if it is a KDC_ERR_SVC_UNAVAILABLE error.
service_fds reacts by continuing the loop, but does not mark the server
as dead, so the loop continues to wait for a reply from the KDC (even
though it has already replied) until the next timeout interval.

We can solve 90% of this problem by marking the server is dead when the
msg_handler callback returns 1, so that selstate->nfds decrements to 0
and service_fds returns to k5_sendto. If we are still waiting for other
servers, we will still continue waiting for them longer than we really
need to, but that's also true if we got a communications failure talking
to the most recently resolved server.
Subject: git commit
From: ghudson@mit.edu

End connection on KDC_ERR_SVC_UNAVAILABLE

In sendto_kdc.c:service_fds(), if a message handler indicates that a
message should be discarded, kill the connection so we don't continue
waiting on it for more data.

https://github.com/krb5/krb5/commit/ca80f64c786341d5871ae1de18142e62af64f7b9
Author: Greg Hudson <ghudson@mit.edu>
Commit: ca80f64c786341d5871ae1de18142e62af64f7b9
Branch: master
src/lib/krb5/os/sendto_kdc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)