master_kdc tag in krb5.conf
Greg Hudson
ghudson at MIT.EDU
Wed Jul 7 11:37:44 EDT 2010
On Wed, 2010-07-07 at 09:42 -0400, Use Nas wrote:
> I am trying to kinit using keytab file and it fails saying that 'not able to
> contact KDC for REALM'. As per the error, it is looking for master_kdc tag
> and fails.
> When i tried it without keytab (prompting for password), it works fine.
I can't really explain much of that. What Kerberos version, what
platform, and what were the exact commands and error messages?
> So, I want to understand the use of master_kdc tag in krb.conf file. What
> are the possible cases where the code will look for master_kdc tag in
> krb5.conf
> Also in gic_keytab.c file, when do we set use_master variable.
The intent of master_kdc is, in a master/slave KDC environment, to try
again with the master KDC if an initial credentials request fails due to
an incorrect key--because the correct key may not have propagated from
the master to all slaves yet.
The logic is not perfect. If there is no identified master KDC, the
code will try again anyway, even if the realm has only one KDC.
In gic_keytab.c, the use_master flag can be set either by
krb5int_get_init_creds (when it calls krb5_sendto_kdc) to indicate that
the first try happened to use the master KDC, or by
krb5_get_init_creds_keytab if it sees certain types of errors and didn't
use the master KDC on the first try.
More information about the Kerberos
mailing list