From owner-freebsd-questions Tue Dec 31 19:51:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 566EA37B401 for ; Tue, 31 Dec 2002 19:51:45 -0800 (PST) Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEFEF43EA9 for ; Tue, 31 Dec 2002 19:51:42 -0800 (PST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from net2.dinoex.sub.org (uucp@net2.dinoex.de [212.184.201.182]) by net2.dinoex.sub.org (8.12.6/8.12.6) with ESMTP id h013pFbc019707 for ; Wed, 1 Jan 2003 04:51:16 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) X-Authentication-Warning: net2.dinoex.sub.org: Host uucp@net2.dinoex.de [212.184.201.182] claimed to be net2.dinoex.sub.org Received: from citylink.dinoex.sub.org (uucp@localhost) by net2.dinoex.sub.org (8.12.6/8.12.6/Submit) with UUCP id h013pFIW019706 for freebsd.org!questions; Wed, 1 Jan 2003 04:51:15 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org by citylink.dinoex.sub.org (8.8.5/PMuch-B3b) with ESMTP id EAA19447 for ; Wed, 1 Jan 2003 04:47:23 +0100 (CET) Received: from disp.oper.dinoex.org (disp-e [192.168.98.5]) by gate.oper.dinoex.org (8.12.6/8.12.6) with ESMTP id h013iEmg001305 for ; Wed, 1 Jan 2003 04:44:20 +0100 (CET) (envelope-from pmc@disp.oper.dinoex.org) Received: (from pmc@localhost) by disp.oper.dinoex.org (8.11.6/8.11.6) id h013hce01287 for questions@freebsd.org; Wed, 1 Jan 2003 04:43:38 +0100 (CET) (envelope-from pmc) Date: Wed, 1 Jan 2003 04:43:38 +0100 From: Peter Much To: questions@freebsd.org Subject: Kerb.5 login hangs when uplink (internet) is down Message-ID: <20030101044338.A1197@disp.oper.dinoex.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19EDC37B401 for ; Tue, 31 Dec 2002 19:35:03 -0800 (PST) Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15F7C43EB2 for ; Tue, 31 Dec 2002 19:35:00 -0800 (PST) (envelope-from pmc@citylink.dinoex.sub.org) Received: from net2.dinoex.sub.org (uucp@net2.dinoex.de [212.184.201.182]) by net2.dinoex.sub.org (8.12.6/8.12.6) with ESMTP id h013Y8bc018062 for ; Wed, 1 Jan 2003 04:34:10 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) X-MDaemon-Deliver-To: X-Authentication-Warning: net2.dinoex.sub.org: Host uucp@net2.dinoex.de [212.184.201.182] claimed to be net2.dinoex.sub.org Received: from citylink.dinoex.sub.org (uucp@localhost) by net2.dinoex.sub.org (8.12.6/8.12.6/Submit) with UUCP id h013Y8hT018061 for freebsd.org!freebsd.questions; Wed, 1 Jan 2003 04:34:08 +0100 (CET) (envelope-from pmc@citylink.dinoex.sub.org) Received: from gate.oper.dinoex.org by citylink.dinoex.sub.org (8.8.5/PMuch-B3b) with ESMTP id EAA16118 for ; Wed, 1 Jan 2003 04:20:21 +0100 (CET) Received: from disp.oper.dinoex.org (disp-e [192.168.98.5]) by gate.oper.dinoex.org (8.12.6/8.12.6) with ESMTP id h013GNmg000372 for ; Wed, 1 Jan 2003 04:16:24 +0100 (CET) (envelope-from pmc@disp.oper.dinoex.org) Received: (from pmc@localhost) by disp.oper.dinoex.org (8.11.6/8.11.6) id h010Enh01095 for freebsd.questions@freebsd.org; Wed, 1 Jan 2003 01:14:49 +0100 (CET) (envelope-from pmc) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This one is mostly for the records, as I recently had to fix it. If you - run the Kerberos5 kdc as distributed with FreeBSD (4.4, maybe others as well), - and have DNS nameservice running - and DNS configured to access the root-nameservers of the internet (or some equivalent configuration), then everything may work well until someday the internet connection (or your equivalent uplink to your root-nameserver) is not active. And then suddenly no kerberized login at all will work anymore. Although you usually should not need that uplink for production (because all the host data for your site and kerberos realm should be kept in local nameservers or other means), you might experience quite an inconvenience by this effect. The point hereby is: the kerberos system tends to do requests to the nameserver asking for the TXT record for krb5-realm.localhost. and _kerberos.localhost., as there is the option to do kerberos configuration in that way. But in cases these records do not exist - because there is no nameserver map at all for a domain .localhost - and then the local nameserver will not know about them and will propagate the query up to the root-nameserver, likely to get the authoritative answer that these records do not exist. And kerberos will be satisfied by this and continue without them. Now when the root-nameservers are not reachable, then the local nameserver does not know if these records might exist somewhere or not - and it will tell so to kerberos (aka "server failed"). This is not considered satisfying by kerberos, so it will stall the login process and ask the nameserver every 40 secs. again and again if the connection has come back. To get rid of this, just make your local nameserver authoritative about it, i.e. configure an empty zone file for domain localhost. Comments by nameserver experts? Is this a suitable approach? rgds, PMc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message