| Russ Allbery > Eagle's Path > August 2005 | mmm-mode > |
Today, I removed the temporary multihoming of our KDCs, thus completing an IP address change for all of the Stanford KDCs. Shortly thereafter, many of our Java webapps stopped being able to authenticate with Kerberos. A restart cleared up the problem.
Want to bet that Java caches the IP addresses of the Kerberos servers rather than requerying DNS or honoring the DNS TTL?
Even worse, the systems were multihomed and now they're on just one of those two IP addresses. Which means that if Java had cached all of the IP addresses and fallen back as it should, it would have worked fine. Even more, one of the servers didn't change and has had the same IP address for a couple of weeks. So they should have had at least that server to fall back on.
Methinks something is deeply broken here.
Takeaway lesson: changing the IP addresses of Kerberos servers is to be avoided when possible, unfortunately, even though everything should be using DNS to find them.
Posted: 2005-08-01 20:55 — Why no comments?
It seems pretty unlikely that was related since right now our K5 cell has nothing to do with AFS; AFS only uses K4.
Posted by eagle at 2005-08-02 00:32
Ah, well. Apparently what it was worth wasn't much, then!
Posted by Brooks Moses at 2005-08-06 00:28
| Russ Allbery > Eagle's Path > August 2005 | mmm-mode > |
FWIW, my (not especially up-to-date) Linux server got broken about the time the first IP address changeover happened, with symptoms that looked consistent with things locking up whenever they tried to access AFS space. I'm not completely sure that it's related, but it seems somewhat plausible. And, again, a reboot seed to fix things.
Posted by Brooks Moses at 2005-08-01 22:51