HPE Community
Operating System - HP-UX
1827593 Members
2653 Online
109965 Solutions
New Discussion

How to config PAM Kerberos in AD for multiple KDCs

 
SOLVED
Go to solution
Michael St. Laurent
Occasional Advisor

‎10-07-2008 02:31 PM

‎10-07-2008 02:31 PM

How to config PAM Kerberos in AD for multiple KDCs

Greetings,

HP-UX 11.11 system here in an Active Directory environment. We're switching over to Kerberos authentication. It works great right now until we reboot the main domain controller. I've added both domain controllers to the krb5.conf file but there is a very long pause (about 3 minutes) before it times out and tries the secondary kdc. As you can see below, I've already set the only timeout value I could find on the man page down to two seconds but it didn't seem to make any difference.

Is there an undocumented timeout value that I could tweak to reduce the pause to something more reasonable?

krb5.conf file below:

default_realm = HARTWELLCORP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
kpasswd_timeout = 2

[realms]
HARTWELLCORP.COM = {
kdc = hcdc.hartwellcorp.com:88
kdc = hcbu.hartwellcorp.com:88
admin_server = hcdc.hartwellcorp.com
}
[domain_realm]
.hartwellcorp.com = HARTWELLCORP.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
0 Kudos
Reply
6 REPLIES 6
Doug Lamoureux_2
Valued Contributor

‎10-15-2008 02:41 PM

‎10-15-2008 02:41 PM

Re: How to config PAM Kerberos in AD for multiple KDCs

Make sure that you have the latest Kerberos client. I don't see this problem on my system:


# uname -a
HP-UX atcux3 B.11.11 U 9000/800 1731243132 unlimited-user license

# swlist -l product | grep -i kerb
KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
PAM-Kerberos B.11.11.12 PAM-Kerberos Version 1.10
krb5client C.1.3.5.05 Kerberos V5 Client Version 1.3.5.05


# grep kdc /etc/krb5.conf
kdc = atcux8.rose.hp.com:88
kdc = atcwinvm4.rose.hp.com:88

# ping atcux8.rose.hp.com -n 2
PING atcux8.rose.hp.com: 64 byte packets

----atcux8.rose.hp.com PING Statistics----
2 packets transmitted, 0 packets received, 100% packet loss

# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 6.12
user 0.00
sys 0.01
#
Reply
Michael St. Laurent
Occasional Advisor

‎10-16-2008 09:28 AM

‎10-16-2008 09:28 AM

Re: How to config PAM Kerberos in AD for multiple KDCs

I have the same as you or higher on my system:

-bash-3.00# swlist -l product | grep -i kerb
KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
PAM-Kerberos B.11.11.12 PAM-Kerberos Version 1.10
krb5client C.1.3.5.06 Kerberos V5 Client Version 1.3.5.06
-bash-3.00#
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎10-16-2008 09:37 AM

‎10-16-2008 09:37 AM

Re: How to config PAM Kerberos in AD for multiple KDCs

Is the 1st KDC reachable (pingable) when you are attempting to login? Have you tested with kinit as I did in my example? Taking a network trace may give you an idea what is taking so long. Is the same KDC(DC) your DNS server?
Reply
Michael St. Laurent
Occasional Advisor

‎10-16-2008 09:40 AM

‎10-16-2008 09:40 AM

Re: How to config PAM Kerberos in AD for multiple KDCs

They are both domain controllers (active directory) and the windows admin needs to be able to reboot the primary from time to time. the backup is supposed to seamlessly step into the role. They are both DNS servers (the primary and secondary).
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎10-16-2008 09:51 AM

‎10-16-2008 09:51 AM

Solution

Re: How to config PAM Kerberos in AD for multiple KDCs

so it may be DNS lookups that are causing the delay, are the DC's hostnames in the local /etc/hosts file? If I put a "downed" DNS server in my resolv.conf I see a delay executing kinit too:


# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 2:04.53
user 0.00
sys 0.01


If I use IP addresses is /etc/krb5.conf I don't see the DNS lookup delay (with downed DNS server in /etc/resolv.conf):


# timex kinit dougl
Password for dougl@WIN2K8.ATC.HP.COM:

real 4.24
user 0.00
sys 0.00

Reply
Michael St. Laurent
Occasional Advisor

‎10-16-2008 09:57 AM

‎10-16-2008 09:57 AM

Re: How to config PAM Kerberos in AD for multiple KDCs

Oooh, good point. I'll try that!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.