Eliminating Dependency on kadmind Daemon during non-KRB5 Authentication
The KRB5 load module causes delay when the kadmind daemon is unavailable
and when using a non-KRB5 authentication mechanism, for example, single
sign-on (SSO). This dependency is eliminated by setting the kadmind_timeout parameter
in the methods.cfg file.
Possible values are kadmind_timeout=<seconds>,
where seconds must be greater than 0.
When the KRB5 load module attempts to connect to a kadmind server
that is down, a transmission control protocol (TCP) timeout occurs.
The kadmind_timeout parameter prevents further delay
after the initial TCP timeout. The kadmind_timeout parameter
specifies the time window for the KRB5 load module to attempt another
kadmind connection after the initial tcp timeout. When the kadmind
server is running, the default behavior is still in effect.
By default, kadmind_timeout is disabled. To enable
thekadmind_timeout parameter, change the methods.cfg file
as follows:
KRB5:
program = /usr/lib/security/KRB5
options = kadmind_timeout=300
KRB5files:
options = db=BUILTIN,auth=KRB5