Is it possible to specify the kdc for the realm inside krb5.conf? Java only use DNS to get kdc when it cannot read one from krb5.conf.
--Max On Jul 28, 2014, at 21:16, Michael Osipov <1983-01...@gmx.net> wrote: > Hi folks, > > I am experiencing a performance degregation when JGSS tries to locate a KDC > via DNS. > We have for our default realm 120 KDCs running. My Java code performs a SASL > bind with Kerberos (keytab) > to get some data from AD over LDAP. This takes sometimes minutes to do where > weeks ago mere seconds were necessary. > It seems now we have the double amount of KDCs and this is the problem with > JGSS. > > I can see that the roundtrips with the KDC like AS-REQ, preauth required, > AS-REQ, AS-REP, TGS-REQ, TGS-REP, etc. > are always preceeded by a getKDCFromDNS. A grep and wc -l over my logfile > shows 110 roundtrips for KDC lookup. This is insane. > The request time and payload slow down the entire operation. > > Wouldn't it be possible to perform the lookup *once* and then issue all KDC > request to the KDC whis is working? > > I have to disable the DNS resolution for Java temporarily. > > Michael
