# kerberos authentification - kdc slow? [solved]

## Kompi

I just set up a kerberos KDC server using mit-krb5 to authentificate users in my small local network. i did that so i can use secure NFSv4 connections to share files. To do so I authentificate users on clients with pam_krb5 aggainst the KDC server's principals. This is working fine, but authentificating users is a little too slow for my taste.

If I call kinit at a workstation it takes about 3-6 seconds before the auth process is done. It's the same when using pam_krb5.so at login. This slows down any login. However, if I kinit in a shell at the server itself, authentifications is completed almost instantly. 

So I ask myself, why is this taking so long? The clients have a pretty good connection to the server(1Gbit/s LAN), so auth over network should be almost as fast as on the server itself. Even if there's no traffic on the network, it takes that long. So it can't be the network connection. But as it is fast when done on the server itself, it cannot be caused by the kdc-server process beeing misconfigured or needing that long to do all its checks.

Has anyone experiences with that? Is that normal?

Here is my krb5.conf. This is pretty default (my realm/local domain is called "WG", the kdc and admin-server are both on the host called "morpheus"):

```

[libdefaults]

   default_realm = WG

      default_tkt_enctypes = aes256-cts-hmac-sha1-96

      default_tgs_enctypes = aes256-cts-hmac-sha1-96

      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac

      forwardable = true

[realms]

   WG = {

      admin_server = morpheus.WG

                kdc = morpheus.WG

      default_domain = WG

   }

```

any my kdc.conf:

```

[kdcdefaults]

      kdc_tcp_ports = 88

[realms]

   WG = {

      max_life = 16h 0m 0s

      max_renewable_life = 7d 0h 0m 0s

      master_key_type = aes256-cts-hmac-sha1-96

      supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal

      kdc_supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal

   }

```

Last edited by Kompi on Tue Apr 19, 2011 2:12 pm; edited 1 time in total

----------

## nativemad

Hi, 

3-6 seconds!? That sounds like a dns-issue to me!

I would try it first with an /etc/hosts entry on the client for morpheus.wg....

HTH, Cheers

----------

## Kompi

I already had that line in /etc/hosts. However you were right, it was an dns-issue. For some reason kinit tried to resolve the kdc's adress via DNS first, before trying /etc/hosts. I anticipated it to be the other way around. 

So my solution was to add:

```
dns_lookup_kdc = false 
```

to the [libdefaults]-section.

Thanks!

----------

