Greetings, I have a performance issue between my KDCs and our radius servers that have very heavy authentication load. As our principles have PREAUTH required there's much more RPC traffic to the KDCs than with PREAUTH turned off. Combined with the kprop happening every 5 minutes our radius servers sometimes encounter a 3 or 5 second delay, and with 600 requests a minute things quickly cascade.
How can I configure a RHEL 6 Kerberos client to use PREAUTH on the initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a principle that does not require PREAUTH shows a marked performance increase. Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages which seems to indicate the client used an PREAUTH type the KDC did not understand. Will setting preferred_preauth_types in krb5.conf to use PA-ENC-TIMESTAMP first correct this? What's the right incantation? Jack Neely -- Jack Neely <[email protected]> Linux Czar, OIT Campus Linux Services Office of Information Technology, NC State University GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
