KDC HA Failure with krb5-1.9.1 and pam-krb5 4.4

Fri, 18 Nov 2011 11:20:41 -0800 

Good Afternoon.

I have two KDCs and my DNS servers are pointing to both of them with 
equal weight.   Both KDCs are running 1.9.1.

_kerberos._udp          IN SRV  10 0 88 <server 1>
_kerberos._udp          IN SRV  10 0 88 <server 2>

We are using Russ's pam-krb5 module version 4.4 compiled against krb 1.8.3.

The problem I have is that if I update my client from 1.8.3 to 1.9.1 my 
High Availability breaks.  A 1.9.1 client will not successfully 
authenticate if one of my KDCs is down.  My 1.8.3 clients work fine.

With both KDCs running they seem to split the work between them with 
some messages coming from one and some from the other.

/var/log/krb5/krb5kdc.log:
Nov 18 14:07:28 *server1* krb5kdc[3412](info): AS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: NEEDED_PREAUTH: [email protected] for 
krbtgt/[email protected], Additional pre-authentication required
Nov 18 14:07:28 *server2* krb5kdc[4044](info): AS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18 
ses=18}, [email protected] for krbtgt/[email protected]
Nov 18 14:07:28 *server2* krb5kdc[4044](info): TGS_REQ (4 etypes {18 17 
16 23}) 172.20.23.22: ISSUE: authtime 1321643248, etypes {rep=18 tkt=18 
ses=18}, [email protected] for host/[email protected]

With one KDC shut down (krb5kdc stopped), the remaining KDC gets either 
one or two of the requests but never sends the TGS.  When doing a TCP 
dump the TGS request seems to go to the failed KDC and is not retried.

Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16 
23}) 172.20.23.20: NEEDED_PREAUTH: [email protected] for 
krbtgt/[email protected], Additional pre-authentication required
Nov 18 14:13:30 server2 krb5kdc[4044](info): AS_REQ (4 etypes {18 17 16 
23}) 172.20.23.20: ISSUE: authtime 1321643610, etypes {rep=18 tkt=18 
ses=18}, [email protected] for krbtgt/[email protected]

/var/log/messages:
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth): 
pam_sm_authenticate: entry (0x1)
Nov 18 16:12:35 surdrdb sshd[13148]: pam_krb5(sshd:auth): (user 
[email protected]) attempting authentication as [email protected]
... Nothing else is logged here.

Is this a regression in krb 1.9.1 (has it been fixed in 1.9.2.  This is 
not yet available in the SLES build service) or is something else going on?

Thanks

Tom Parker
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to