Selective kdc discovery

Greg Hudson ghudson at mit.edu
Sat Oct 31 01:02:34 EDT 2020


On 10/29/20 2:13 PM, Paul B. Henson wrote:
> In the krb5.conf file, you can specify kdc's statically, but there is no 
> mechanism for prioritizing them or indicating which ones should be tried 
> first.

In the MIT krb5 implementation, they are tried in the order specified,
with a 1s delay in between.  I can't speak to the Java implementation,
unfortunately.

> You can also specify one or more master_kdc's, but based on the 
> documentation those are only accessed in the case of a password failure 
> on one of the regular kdc entries? If, hypothetically, all of the 
> regular kdc entries timeout, would the master_kdc entries still be used, 
> or would the request simply fail at that point with an unreachable kdc 
> error?

The request would fail with an unreachable error, in the MIT implementation.


More information about the Kerberos mailing list