United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 6843127 krb5 should not try to access unavailable kdc too often
6843127 : krb5 should not try to access unavailable kdc too often

Details
Type:
Bug
Submit Date:
2009-05-20
Status:
Resolved
Updated Date:
2010-11-04
Project Name:
JDK
Resolved Date:
2010-01-08
Component:
security-libs
OS:
generic,solaris_10
Sub-Component:
org.ietf.jgss:krb5
CPU:
sparc,generic
Priority:
P4
Resolution:
Fixed
Affected Versions:
6,7
Fixed Versions:
7

Related Reports
Backport:
JDK-2184130 - krb5 should not try to access unavailable kdc too often
Relates:
JDK-2197175 - Solaris JREs do not have the krb5.kdc.bad.policy configured by default.
Relates:
JDK-6976536 - Solaris JREs do not have the krb5.kdc.bad.policy configured by default.

Sub Tasks

Description
Curently, AS-REQ acts like this:

  try {
     send AS-REQ and wait for AS-REP
  } catch (KRB-ERROR needs PREAUTH) {
     send AS-REQ with PREAUTH and wait for AS-REP
  }

and the send-wait process looks like:

  for (all KDCs configed) {
     for (try 3 times) {
        try {
           send AS-REQ and wait for AS-REP
           return
        } catch (IOError) {
           continue
        }
     }
  }

The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:

  1. Send AS-REQ to KDC1
  2. Send AS-REQ to KDC1
  3. Send AS-REQ to KDC1
  4. Send AS-REQ to KDC2
     KDC2 replies: KRB-ERROR needs PREAUTH
  5. Send AS-REQ with PREAUTH to KDC1
  6. Send AS-REQ with PREAUTH to KDC1
  7. Send AS-REQ with PREAUTH to KDC1
  8. Send AS-REQ with PREAUTH to KDC2
     KDC2 replies: AS-REP

Here, request #5-#7 is a waste of time.

Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.

Comments
EVALUATION

Solution: add a security system property

#
# Policy for failed Kerberos KDC lookups:
#
# When a KDC is unavailable (network error, service failure, etc), it is
# put inside a blacklist and accessed less often for future requests. The
# value (case-insensitive) for this policy can be:
#
# tryLast
#    KDCs in the blacklist are always tried after those not on the list.
#
# tryLess[:max_retries,timeout]
#    KDCs in the blacklist are still tried by their order in the configuration,
#    but with smaller max_retries and timeout values. max_retries and timeout
#    are optional numerical parameters (default 1 and 5000, which means once
#    and 5 seconds). Please notes that if any of the values defined here is
#    more than what is defined in krb5.conf, it will be ignored.
#
# Whenever a KDC is detected as available, it is removed from the blacklist.
# The blacklist is reset when krb5.conf is reloaded. You can add
# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
# reloaded whenever a JAAS authentication is attempted.
#
# Example,
#   krb5.kdc.bad.policy = tryLast
#   krb5.kdc.bad.policy = tryLess:2,2000
krb5.kdc.bad.policy = tryLast
2009-12-24 
EVALUATION

http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6a80c535f02e
*** (#1 of 1): [ UNSAVED ] ###@###.###
2009-12-24


Hardware and Software, Engineered to Work Together