> I understand your problem. Will see what we can do. When you say "Wouldn't it > be possible to perform the lookup *once* and then issue all KDC request to > the KDC whis is working?" do you mean the DNS query result could contain KDCs > which do not work? Is this common?
It can contain invalid entries. Slave DNS servers aren't up to date or a KDC has been dismanted but stale records exist. > Guess there is no need for log file, I know we don't cache the result of that > method. Yes, the caching is vital if response is big. It consumes to much time. I have retried that mit MIT Kerberos 1.12.1 on that machine with gss-client. Turned on DNS resolution and KRB5_TRACE. It does several SRV lookups but far less that JGSS and it is extremely fast. I have a TGT and service ticket in second. > On Jul 29, 2014, at 1:01, Michael Osipov <1983-01...@gmx.net> wrote: > > > > >> > >> Is it possible to specify the kdc for the realm inside krb5.conf? Java > >> only use DNS to get kdc when it cannot read one from krb5.conf. > > > > Max, this is what I did but this is not a solution because we have dozens > > of realms which in turn have tens of KDCs. > > Add those static lists to all Unix machines is annoying. It defeats the > > whole purpose of DNS SRV. > > > > To compare numbers, the entire LDAP operation requires from request to > > display in the browser no more than 4 seconds with static KDCs. > > With DNS resolutions: minutes. > > > > If you are interested, I can provide log files privately. Moreover, I have > > access to My Oracle Support if necessary. > > > > Michael > > > >> On Jul 28, 2014, at 21:16, Michael Osipov <1983-01...@gmx.net> wrote: > >> > >>> Hi folks, > >>> > >>> I am experiencing a performance degregation when JGSS tries to locate a > >>> KDC via DNS. > >>> We have for our default realm 120 KDCs running. My Java code performs a > >>> SASL bind with Kerberos (keytab) > >>> to get some data from AD over LDAP. This takes sometimes minutes to do > >>> where weeks ago mere seconds were necessary. > >>> It seems now we have the double amount of KDCs and this is the problem > >>> with JGSS. > >>> > >>> I can see that the roundtrips with the KDC like AS-REQ, preauth required, > >>> AS-REQ, AS-REP, TGS-REQ, TGS-REP, etc. > >>> are always preceeded by a getKDCFromDNS. A grep and wc -l over my logfile > >>> shows 110 roundtrips for KDC lookup. This is insane. > >>> The request time and payload slow down the entire operation. > >>> > >>> Wouldn't it be possible to perform the lookup *once* and then issue all > >>> KDC request to the KDC whis is working? > >>> > >>> I have to disable the DNS resolution for Java temporarily. > >>> > >>> Michael > >> > >> > >
