topic Re: How to config PAM Kerberos in AD for multiple KDCs in Operating System - HP-UX

How to config PAM Kerberos in AD for multiple KDCs

Michael St. Laurent — Tue, 07 Oct 2008 21:31:10 GMT

Greetings,

HP-UX 11.11 system here in an Active Directory environment. We're switching over to Kerberos authentication. It works great right now until we reboot the main domain controller. I've added both domain controllers to the krb5.conf file but there is a very long pause (about 3 minutes) before it times out and tries the secondary kdc. As you can see below, I've already set the only timeout value I could find on the man page down to two seconds but it didn't seem to make any difference.

Is there an undocumented timeout value that I could tweak to reduce the pause to something more reasonable?

krb5.conf file below:

default_realm = HARTWELLCORP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
kpasswd_timeout = 2

[realms]
HARTWELLCORP.COM = {
kdc = hcdc.hartwellcorp.com:88
kdc = hcbu.hartwellcorp.com:88
admin_server = hcdc.hartwellcorp.com
}
[domain_realm]
.hartwellcorp.com = HARTWELLCORP.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Re: How to config PAM Kerberos in AD for multiple KDCs

Doug Lamoureux_2 — Wed, 15 Oct 2008 21:41:29 GMT

Make sure that you have the latest Kerberos client. I don't see this problem on my system:

# uname -a
HP-UX atcux3 B.11.11 U 9000/800 1731243132 unlimited-user license

# swlist -l product | grep -i kerb
KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
PAM-Kerberos B.11.11.12 PAM-Kerberos Version 1.10
krb5client C.1.3.5.05 Kerberos V5 Client Version 1.3.5.05

# grep kdc /etc/krb5.conf
kdc = atcux8.rose.hp.com:88
kdc = atcwinvm4.rose.hp.com:88

# ping atcux8.rose.hp.com -n 2
PING atcux8.rose.hp.com: 64 byte packets

----atcux8.rose.hp.com PING Statistics----
2 packets transmitted, 0 packets received, 100% packet loss

# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 6.12
user 0.00
sys 0.01
#

Re: How to config PAM Kerberos in AD for multiple KDCs

Michael St. Laurent — Thu, 16 Oct 2008 16:28:47 GMT

I have the same as you or higher on my system:

-bash-3.00# swlist -l product | grep -i kerb
KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
PAM-Kerberos B.11.11.12 PAM-Kerberos Version 1.10
krb5client C.1.3.5.06 Kerberos V5 Client Version 1.3.5.06
-bash-3.00#

Re: How to config PAM Kerberos in AD for multiple KDCs

Doug Lamoureux_2 — Thu, 16 Oct 2008 16:37:36 GMT

Is the 1st KDC reachable (pingable) when you are attempting to login? Have you tested with kinit as I did in my example? Taking a network trace may give you an idea what is taking so long. Is the same KDC(DC) your DNS server?

Re: How to config PAM Kerberos in AD for multiple KDCs

Michael St. Laurent — Thu, 16 Oct 2008 16:40:39 GMT

They are both domain controllers (active directory) and the windows admin needs to be able to reboot the primary from time to time. the backup is supposed to seamlessly step into the role. They are both DNS servers (the primary and secondary).

Re: How to config PAM Kerberos in AD for multiple KDCs

Doug Lamoureux_2 — Thu, 16 Oct 2008 16:51:47 GMT

so it may be DNS lookups that are causing the delay, are the DC's hostnames in the local /etc/hosts file? If I put a "downed" DNS server in my resolv.conf I see a delay executing kinit too:

# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 2:04.53
user 0.00
sys 0.01

If I use IP addresses is /etc/krb5.conf I don't see the DNS lookup delay (with downed DNS server in /etc/resolv.conf):

# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 4.24
user 0.00
sys 0.00

Re: How to config PAM Kerberos in AD for multiple KDCs

Michael St. Laurent — Thu, 16 Oct 2008 16:57:11 GMT

Oooh, good point. I'll try that!