Selective kdc discovery

Paul B. Henson henson at
Thu Nov 5 00:53:39 EST 2020

On Sat, Oct 31, 2020 at 01:02:34AM -0400, Greg Hudson wrote:

> In the MIT krb5 implementation, they are tried in the order specified,
> with a 1s delay in between.  I can't speak to the Java implementation,
> unfortunately.

Ah, so each subsequent server is only used if all the ones before it
failed? There's no mechanism for load balancing when using file based
kdc configuration?

We're currently using DNS SRV records and all of our kdc's seems to have
fairly equal load. Are DNS SRV records handled differently in terms of
distributing load, or is that just a side effect of the resolver handing
them back in a different order for each lookup?

> The request would fail with an unreachable error, in the MIT implementation.

Thanks for the info. It doesn't look like the java implementation tries
the listed master anyway for a password failure, it just immediately
errors out.

More information about the Kerberos mailing list