[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bad behavior vith LDAP backend.

To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Bad behavior vith LDAP backend.
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 27 Mar 2008 09:45:28 -0700
Cc: Anders Magnusson <ragge@ltu.se>
In-Reply-To: <3632C556-67E4-4CCA-B7D8-785A884C3E6C@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <47EB57CC.9020906@ltu.se> <3632C556-67E4-4CCA-B7D8-785A884C3E6C@kth.se>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

I'd vote for just returning nothing at all.  If the kdc finds an empty/ 
absent/inaccessible database it should just quit IMO.  If the kdc is  
down the clients will try the next kdc after a second anyway.

It's kind of fun the *first* time you find a kdc running with an empty  
db and telling everyone they don't exist.  Thanks to some procedural  
errors on my part I just did it the fifth time in production last  
night.  (This is still 0.7.2 BTW, and has nothing to do with LDAP.)

Since this is LDAP going down, I suppose there are things you can do,  
but they seem really messy.  IMO (as a non-LDAP-backend user) better  
to just require whatever restarts slapd to restart the kdc as well.

On Mar 27, 2008, at 8:08 AM, Love Hörnquist Åstrand wrote:

>
> 27 mar 2008 kl. 09.16 skrev Anders Magnusson:
>
>> I just noticed an unwanted behavior when using LDAP backend and  
>> slapd dies:
>> The clients do not fail over to another kdc.  I assume that this is  
>> because the kdc returns
>> something, the log says:
>>
>> Mar 27 08:19:50 gran kdc[24288]: AS-REQ helstr-4@LTU.SE from  
>> IPv4:130.240.42.40 for krbtgt/LTU.SE@LTU.SE
>> Mar 27 08:19:50 gran kdc[24288]: Failed to open database: Wrong  
>> database version
>>
>> I don't know what can be returned, but I think that either the kdc  
>> should return "try next kdc"
>> or something, or just stop answering requests.
>
> In addition to stop answering question, KRB5KDC_ERR_SVC_UNAVAILABLE  
> can be returned, however, its not supported by all clients.
>
> Cant make up my mind where the error should be returned.
>
> Love

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Bad behavior vith LDAP backend.
  - From: Anders Magnusson <ragge@ltu.se>

References:
- Bad behavior vith LDAP backend.
  - From: Anders Magnusson <ragge@ltu.se>
- Re: Bad behavior vith LDAP backend.
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Bad behavior vith LDAP backend.
Next by Date: Re: Bad behavior vith LDAP backend.
Prev by thread: Re: Bad behavior vith LDAP backend.
Next by thread: Re: Bad behavior vith LDAP backend.
Index(es):
- Date
- Thread