On Wed, Sep 19, 2012 at 04:07:47PM -0400, Jack Neely wrote: > Greetings, > > I have a performance issue between my KDCs and our radius servers that > have very heavy authentication load. As our principles have PREAUTH > required there's much more RPC traffic to the KDCs than with PREAUTH > turned off. Combined with the kprop happening every 5 minutes our > radius servers sometimes encounter a 3 or 5 second delay, and with 600 > requests a minute things quickly cascade. > > How can I configure a RHEL 6 Kerberos client to use PREAUTH on the > initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a > principle that does not require PREAUTH shows a marked performance > increase. > > Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages > which seems to indicate the client used an PREAUTH type the KDC did not > understand. Will setting preferred_preauth_types in krb5.conf to use > PA-ENC-TIMESTAMP first correct this? What's the right incantation? >
Nothing like replying to your own email. A network capture has reveled what's happening with the PREAUTH_FAILED error messages. My newer clients (krb5 1.9 on RHEL 6) is sending an AS_REQ to my KDCs with a preauthentication data of type PA-REQ-ENC-PA-REP (149). My KDCs are RHEL 5 running krb5 1.6.1 and in this case return error code KRB5KDC_ERR_PREAUTH_FAILED (24). At this point the client tries an AS_REQ with either no preauth or PA-ENC-TIMESTAMP. As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension, shouldn't it be ignoring the preauth data rather than returning an error? Jack Neely -- Jack Neely <[email protected]> Linux Czar, OIT Campus Linux Services Office of Information Technology, NC State University GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
