kerberos password change in master-slave environ

Actually davidchr davespam at microsoft.com
Wed Mar 24 18:31:56 EST 2004


> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Digant Kasundra
[...]

> With Unix and Linux, this one master setup isn't too bad b/c 
> you can tell
> clients to auth against a slave and do password changes 
> against the master.
> But with "dumb" implementations, like Microsoft, it assumes a 
> KDC is a KDC
> is a KDC: one machine that will handle both.  

FYI, our implementation has never made this assumption to my knowledge.


Before Win2K, Windows domains were master/slave (Primary/Backup Domain
Controllers), so of course not all of them accepted password changes.
In Win2K and later, the concept of a "writeable" vs. a "non-writeable"
DC persists (if curious, see DsGetDcName's DomainControllerInfo
parameter for more information).  For a non-Windows realm, KSETUP
defines where a machine will go to change passwords for principals in a
particular realm.

There are also other ways to configure Windows so that it only hits the
DCs (or non-Windows KDCs) you want it to.   

Anyway, just FYI in case you're (or anyone else is) having trouble with
this.

---
This message is provided "AS IS" with no warranties, and confers no
rights.
This message may originate from an unmonitored alias ("davespam") for
spam-reduction purposes.  Use "davidchr" for individual replies.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
This message originates in the State of Washington (USA), where
unsolicited commercial email is legally actionable (see
http://www.wa-state-resident.com).
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request.  I retaliate
viciously against spammers and spam sites.



More information about the Kerberos mailing list