Re: [modauthkerb] newsletter: Re: newsletter: Slow page loads when in failover with mod_auth_kerb
Brought to you by:
kouril
From: Rob C <mod...@lx...> - 2012-03-08 21:08:45
|
Well, I have a solution and it isn't strictly mod_auth_kerb related, but I hate googling and finding open ended forum posts on the web so I thought I would at least close the loop and see if anyone has comments on the *why* as well as the *what* that eventually fixed my issue. I took the advice above and started going through the wireshark/tcpdump logs of both the client browser interaction with the 2 DCs and the apache server, as well as the interaction from the apache server looking at traffic to the DCs and the client. It was immediately apparent that the hangup did not appear to be kerberos based but rather a rash of DNS lookups on the apache host trying to resolve the CNAME to an A record (itself). In fact, given the failure scenario, the kerberos ticket had already been negotiated, issued and cached before the KDC was taken down, so from a mod_auth_kerb perspective it was using cached credentials anyway (KrbSaveCredentials=on) - no kerberos network traffic was taking place! Long story short, adding the cname of the webserver as a host alias in /etc/hosts allowed the page to load instantaneously when in the DC failure state. As such I have a work around but don't fully understand why it is working. I am doing some further investigation. |