kadmin authentication fallback to master?

John Devitofranceschi jdvf at optonline.net
Sat May 10 17:21:55 EDT 2014

> On May 10, 2014, at 17:12, John Devitofranceschi <jdvf at optonline.net> wrote:
>>> On May 10, 2014, at 15:52, Greg Hudson <ghudson at MIT.EDU> wrote:
>>> On 05/10/2014 03:42 PM, John Devitofranceschi wrote:
>>> Is there a way to make MIT's kadmin authenticate its user against the master kdc (in environments where there is only one) when the user's principal is not yet propagated (either due to latency or misadventure)?
>> Like kinit, kadmin will fall back to the master KDC on most AS request
>> errors if a master KDC is defined.  You need to set the master_kdc
>> relation in the realm section or create a _kerberos-master SRV record.
> With which version of Kerberos was master_kdc in the krb5.conf introduced?
> I saw it referenced in a mailing list post from a few years back, but my feeble searches on it turned up nothing useful.
> jd

Ah! I just checked and the message in question called it kdc_master, which is why I couldn't find it.


More information about the Kerberos mailing list