Selective kdc discovery
Greg Hudson
ghudson at mit.edu
Sat Oct 31 01:02:34 EDT 2020
On 10/29/20 2:13 PM, Paul B. Henson wrote:
> In the krb5.conf file, you can specify kdc's statically, but there is no
> mechanism for prioritizing them or indicating which ones should be tried
> first.
In the MIT krb5 implementation, they are tried in the order specified,
with a 1s delay in between. I can't speak to the Java implementation,
unfortunately.
> You can also specify one or more master_kdc's, but based on the
> documentation those are only accessed in the case of a password failure
> on one of the regular kdc entries? If, hypothetically, all of the
> regular kdc entries timeout, would the master_kdc entries still be used,
> or would the request simply fail at that point with an unreachable kdc
> error?
The request would fail with an unreachable error, in the MIT implementation.
More information about the Kerberos
mailing list