Q: Ordering master/slave KDC's in CLIENT machines' krb5.conf

Donn Cave donn at u.washington.edu
Tue Sep 9 16:33:48 EDT 2003 

In article <bjl3cc$33t0$1 at nntp6.u.washington.edu>,
 MattW <mbw at u.washington.edu> wrote:

> Please help me understand how I should order the
> client's list of KDC's it can contact in the krb5.conf file.
> 
> 
> I have:
> 
> 
> 
> [realms]
>          YADDA.WASHINGTON.EDU = {
> 
>                  kdc = kdc.yadda.washington.edu
>                  kdc = kdc1.yadda.washington.edu
>                  kdc = kdc2.yadda.washington.edu
>                  admin_server = kdc1.yadda.washington.edu
>                  default_domain = yadda.washington.edu
>                  krb524_server = kdc1.yadda.washington.edu
>          }
> 
> NOTE: kdc.yadda.washington.edu points to the master, which is
> kdc1.yadda.washington.edu
> 
> 
> but I have MANY clients which will need to set up to use
> kerberos, and kdc1 and kdc2 are on different subnets.
> 
> Should I put the kdc that is the closest (fewest hops, or local)
> first in the list? or should I always put the master server first,
> regardless of network proximity.
> 
> Am i nit-picking here? Does order matter in the kdc list?

Yes.

The addresses are contacted in order until one responds,
but some requests may then also find their way to the master
server.  Master is however spelled "admin_server", so in your
example the master is really kdc1. As far as I know, the first
KDC on the list will be contacted first, but otherwise gets
no special status from this.

You may also be interested in the use of DNS records to do this.
Cf. for example, SRV record for _kerberos._udp.u.washington.edu,
and TXT record for _kerberos.u.washington.edu.  That allows
applications in u.washington.edu to find the realm's KDC without
any local configuration file.  If you have a serious issue with
network connectivity, that might be another way to address it
(though I would think it's highly unlikely to be worth it - I mean,
the DNS records are a fine idea, especially if you don't have a
name collision with a Windows domain, but having them resolve
to different hosts depending on the DNS server would be only 
for the desperate.)

> Im curious how failover is done if my router to the first
> kerb server in the list goes down.

It's done with select() on the socket file descriptor in conjunction
with the connect() function.

   Donn Cave, donn at u.washington.edu

More information about the Kerberos mailing list