Is there a way to steer kinit to a specific kdc?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Apr 5 10:46:09 EDT 2023
>It *looks* like, in order to check basically fakes this out with a
>krb5.conf that only includes a single KDC (the one being tested).
>
>Is that really the best way to go about it?
>
>Can neither mit kinit nor the heimdal one supplied with BSD systems by
>default, not just be forced to a single KDC?
You are correct; there's no easier way to go about it. At least for
MIT Kerberos you could write a "locate" plugin that provided some way
of specifying server locations. That would probably be worse than just
writing out a custom krb5.conf. As a practical matter I could see it
being challenging to design a good API to do that and it would probably
have limited use. I feel your pain because there are a number of
times when I specifically contact a single KDC for testing/development
purposes and I also just edit krb5.conf. FWIW, there are many times
when I want to do some testing and send a TGS-REQ to a particular KDC
and that would involve not just having a modified kinit, so I think
the problem is more complex than it appears.
--Ken
More information about the Kerberos
mailing list