For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Oxenburger_1420's avatar
Oxenburger_1420
Icon for Nimbostratus rankNimbostratus
May 25, 2015

I've finally solved the issue. I found that the first DC server found in the DNS discovered list of KDC servers performed by the F5 APM was an old server that no longer exists.

tcpdump on the F5 showed repeated KRB5 AS-REQ from F5 to that none existent domain controller and the router local to the subnet were the DC used to reside sent ICMP host unreachable messages.

The fix was to remove the old DNS service records _kerberos & _klist from DNS, user logons were successfull after removal.

I'd logged a case with F5 for this problem and will try and find out why F5 APM didn't just select the next available KDC server rather than repeatedly trying the same failed DC server, you'd kinda think the list is there to provide redundancy.. isn't that the point?

At some stage I did try to force the F5 to select a DC server by updating the krb5.conf (bigstart restart was done after each change), but this didn't work either and F5 APM continued to generate a list of KDC using DNS resolves.

Anyway these are the config settings I tried on krb5.conf. Also, turned off DNS resolves in libdefaults as well and no luck here either.. perhaps there is more needed than this.

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_realm = DOMAIN-A.INTERNAL

[realms]
DOMAIN-B.INTERNAL = {
 kdc = dc2.domain-b.internal:88
 admin_server = dc2.domain-b.internal:749
 default_domain = domain-b.internal
}

[domain_realm] .domain-b.internal = DOMAIN-B.INTERNAL

Cheers,

David