another (different) KDC name resolution question
Greg Hudson
ghudson at MIT.EDU
Mon Feb 22 18:13:08 EST 2010
On Mon, 2010-02-22 at 16:54 -0500, Abe Singer wrote:
> When a Kerberized daemon (server) gets contacts by a client, the server
> does a name lookup of *all* the KDCs in the realm before attempting to contact
> any KDC.
[...]
> So, is this behavior intentional, or a bug triggered by an unusual situation?
This behavior follows from the internal APIs. krb5_locate_kdc takes a
realm name and returns a complete list of addresses, and then
krb5_sendto_kdc iterates over the address list. So it's not a bug,
although I'd be happy to call it a misfeature. There are some
complications in the way of changing the behavior (specifically, a
plugin interface which assumes the realm -> addrlist interface), so I
don't know if it's likely to get better in the near future.
More information about the Kerberos
mailing list