Reading kerberos-adm from DNS: when will MIT-krb support this?

Jeffrey Altman jaltman at secure-endpoints.com
Mon Mar 12 01:30:50 EDT 2007


Marcus Watts wrote:
> Interesting obscure factoid:
> If your dns information lacks a _kerberos-master record (and you don't
> have a krb5.conf that specifies a master_kdc for your realm), MIT library
> code won't prompt to change the password for principals with expired passwords.
This is because the client doesn't know if the password actually needs
to be changed.
It could be that the client is talking to a slave that hasn't received
the new key.  In that
case the password might not need to be changed.    The client only knows
that the password
is actually expired by talking to the master.  Without a kerberos-master
entry, the client does
not know whether or not the master has given the definitive response.

Jeffrey Altman
Secure Endpoints Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070312/c259162c/attachment.bin


More information about the Kerberos mailing list