[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
hang with unreachable KDC
|
From: |
Greg Troxel |
|
Subject: |
hang with unreachable KDC |
|
Date: |
Wed, 25 Mar 2015 19:16:57 -0400 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.4 (berkeley-unix) |
I'm using gsasl 1.8.0 with jabberd2 on NetBSD 5, i386.
On this machine, jabber logins started taking about 3 minutes. I traced
this to a recently-added krb5 SRV record for the jabber service's domain
name, and the kerberos server not being reachable from the jabber
server. I would see TCP connections in SYN_SENT, and the jabber server
(c2s specifically) would hang until they time out.
I was able to reproduce this with
$ gsasl --server-mechanisms
channel binding: "23"
service: accept "imap"
hostname: host.example.com
and there would be TCP connection to the KDC. (To reproduce, add a SRV
record and firewall that host.)
Running this without the srv record, I get:
ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SAML20 OPENID20
which I note does not include GSSAPI and GS2-KRB5. So it seems that the
server is trying to somehow validate the Kerberos setup, even though I
haven't configured it on the machine and don't have a host principal.
It seems like this shouldn't happen, but I can see why it might.
So I wonder if the "is krb5" availble logic should first look for the
host principal keytab, and only if that is found try to see about the
KDC.
Arguably the KDC should not be contacted until there is somehthing to
validate, but I'm not clear on why it's happening.
Thanks,
Greg
pgpkbT5SeKPgs.pgp
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- hang with unreachable KDC,
Greg Troxel <=