This one is mostly for the records, as I recently had to fix it. If you - run the Kerberos5 kdc as distributed with FreeBSD (4.4, maybe others as well), - and have DNS nameservice running - and DNS configured to access the root-nameservers of the internet (or some equivalent configuration), then everything may work well until someday the internet connection (or your equivalent uplink to your root-nameserver) is not active. And then suddenly no kerberized login at all will work anymore.
Although you usually should not need that uplink for production (because all the host data for your site and kerberos realm should be kept in local nameservers or other means), you might experience quite an inconvenience by this effect. The point hereby is: the kerberos system tends to do requests to the nameserver asking for the TXT record for krb5-realm.localhost. and _kerberos.localhost., as there is the option to do kerberos configuration in that way. But in cases these records do not exist - because there is no nameserver map at all for a domain .localhost - and then the local nameserver will not know about them and will propagate the query up to the root-nameserver, likely to get the authoritative answer that these records do not exist. And kerberos will be satisfied by this and continue without them. Now when the root-nameservers are not reachable, then the local nameserver does not know if these records might exist somewhere or not - and it will tell so to kerberos (aka "server failed"). This is not considered satisfying by kerberos, so it will stall the login process and ask the nameserver every 40 secs. again and again if the connection has come back. To get rid of this, just make your local nameserver authoritative about it, i.e. configure an empty zone file for domain localhost. Comments by nameserver experts? Is this a suitable approach? rgds, PMc To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message