Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
kerberos authentification - kdc slow? [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Kompi
Apprentice
Apprentice


Joined: 05 Oct 2002
Posts: 252
Location: Germany

PostPosted: Mon Apr 18, 2011 6:13 pm    Post subject: kerberos authentification - kdc slow? [solved] Reply with quote

I just set up a kerberos KDC server using mit-krb5 to authentificate users in my small local network. i did that so i can use secure NFSv4 connections to share files. To do so I authentificate users on clients with pam_krb5 aggainst the KDC server's principals. This is working fine, but authentificating users is a little too slow for my taste.

If I call kinit at a workstation it takes about 3-6 seconds before the auth process is done. It's the same when using pam_krb5.so at login. This slows down any login. However, if I kinit in a shell at the server itself, authentifications is completed almost instantly.

So I ask myself, why is this taking so long? The clients have a pretty good connection to the server(1Gbit/s LAN), so auth over network should be almost as fast as on the server itself. Even if there's no traffic on the network, it takes that long. So it can't be the network connection. But as it is fast when done on the server itself, it cannot be caused by the kdc-server process beeing misconfigured or needing that long to do all its checks.

Has anyone experiences with that? Is that normal?

Here is my krb5.conf. This is pretty default (my realm/local domain is called "WG", the kdc and admin-server are both on the host called "morpheus"):

/etc/krb5.conf:

[libdefaults]
   default_realm = WG
      default_tkt_enctypes = aes256-cts-hmac-sha1-96
      default_tgs_enctypes = aes256-cts-hmac-sha1-96
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
      forwardable = true

[realms]
   WG = {
      admin_server = morpheus.WG
                kdc = morpheus.WG
      default_domain = WG
   }


any my kdc.conf:

/var/lib/krb5kdc/kdc.conf:

[kdcdefaults]
      kdc_tcp_ports = 88

[realms]
   WG = {
      max_life = 16h 0m 0s
      max_renewable_life = 7d 0h 0m 0s
      master_key_type = aes256-cts-hmac-sha1-96
      supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
      kdc_supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
   }


Last edited by Kompi on Tue Apr 19, 2011 2:12 pm; edited 1 time in total
Back to top
View user's profile Send private message
nativemad
Developer
Developer


Joined: 30 Aug 2004
Posts: 911
Location: Switzerland

PostPosted: Tue Apr 19, 2011 12:27 pm    Post subject: Reply with quote

Hi,

3-6 seconds!? That sounds like a dns-issue to me!
I would try it first with an /etc/hosts entry on the client for morpheus.wg....


HTH, Cheers
_________________
Power to the people!
Back to top
View user's profile Send private message
Kompi
Apprentice
Apprentice


Joined: 05 Oct 2002
Posts: 252
Location: Germany

PostPosted: Tue Apr 19, 2011 2:12 pm    Post subject: Reply with quote

I already had that line in /etc/hosts. However you were right, it was an dns-issue. For some reason kinit tried to resolve the kdc's adress via DNS first, before trying /etc/hosts. I anticipated it to be the other way around.

So my solution was to add:

Code:
dns_lookup_kdc = false


to the [libdefaults]-section.

Thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum