getKDCFromDNS called too often
Wang Weijun
weijun.wang at oracle.com
Mon Jul 28 13:58:49 UTC 2014
Is it possible to specify the kdc for the realm inside krb5.conf? Java only use DNS to get kdc when it cannot read one from krb5.conf.
--Max
On Jul 28, 2014, at 21:16, Michael Osipov <1983-01-06 at gmx.net> wrote:
> Hi folks,
>
> I am experiencing a performance degregation when JGSS tries to locate a KDC via DNS.
> We have for our default realm 120 KDCs running. My Java code performs a SASL bind with Kerberos (keytab)
> to get some data from AD over LDAP. This takes sometimes minutes to do where weeks ago mere seconds were necessary.
> It seems now we have the double amount of KDCs and this is the problem with JGSS.
>
> I can see that the roundtrips with the KDC like AS-REQ, preauth required, AS-REQ, AS-REP, TGS-REQ, TGS-REP, etc.
> are always preceeded by a getKDCFromDNS. A grep and wc -l over my logfile shows 110 roundtrips for KDC lookup. This is insane.
> The request time and payload slow down the entire operation.
>
> Wouldn't it be possible to perform the lookup *once* and then issue all KDC request to the KDC whis is working?
>
> I have to disable the DNS resolution for Java temporarily.
>
> Michael
More information about the security-dev
mailing list