Changing password using slave KDC
Sachin Punadikar
punadikar.sachin at gmail.com
Thu Nov 1 07:17:53 EDT 2007
Hi Jeffrey,
I carried out the change. Added an entry of "kdc=master-kdc" after the
existing "kdc=slave-kdc". But still it fails to get the ticket of new
password.
It works fine when "master_kdc=master-kdc" exists.
So is it expected behavior ?
Thanks in advance.
- Sachin.
On 11/1/07, Jeffrey Altman <jaltman at secure-endpoints.com> wrote:
>
> Please do not send non-development requests to the krbdev mailing list.
>
> Slave databases are read-only. Only the master database can be used
> for password change. The master kdc must be listed in the KDC list
> either as an additional
>
> kdc=master-kdc
>
> or
>
> master_kdc=master-kdc
>
> entry or both.
>
> Jeffrey Altman
>
>
> Sachin Punadikar wrote:
> > Hello,
> >
> > I have Kerberos (MIT 1.5.4 release) configured as master and slave. At
> the
> > client side krb5.conf file I am mentioning kdc=slave-kdc. And this is
> the
> > only entry in the krb5.conf file which talks about KDC.
> > In this scenario if the attribute "needchange" is set then, it prompts
> for
> > the password change but finally it fails to get the ticket with the
> newly
> > changed password. This may be because it is trying to get the ticket
> from
> > the slave. But slave will not have updated database at that moment.
> > So is it recommended to try for password change, only when "master_kdc"
> > entry in the krb5.conf file exists?
> > Or is there any mechanism by which one can update slave KDC database
> > instantenously, so above scenario will work ?
> >
> > Please advice.
> >
> > - Sachin.
> > _______________________________________________
> > krbdev mailing list krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
More information about the Kerberos
mailing list