Changing password using slave KDC
Ken Raeburn
raeburn at MIT.EDU
Thu Nov 1 08:02:27 EDT 2007
On Nov 1, 2007, at 07:17, Sachin Punadikar wrote:
> I carried out the change. Added an entry of "kdc=master-kdc" after the
> existing "kdc=slave-kdc". But still it fails to get the ticket of new
> password.
> It works fine when "master_kdc=master-kdc" exists.
>
> So is it expected behavior ?
This is expected. If the library detects a "wrong password" type of
error, it will try talking to the master KDC if it finds one
configured. It won't simply walk through all of the KDCs. (The
model is, roughly, that the slaves all get updated from the master at
about the same time, so talking to other slaves won't help. But if
there is a master, its data may be more recent than the slaves'.)
In regard to a question in your earlier email, if the LDAP database
back end is used on the KDC, the password change should immediately
be seen by the slave KDC. Perhaps not *quite* immediately, if you're
replicating your LDAP service and your slave KDC is looking at a
different LDAP server than the master KDC; I'm unfamiliar with the
details of LDAP data replication in various implementations.
Ken
More information about the Kerberos
mailing list