[krbdev.mit.edu #6782] Master KDC lookup can use SRV lookups despite profile KDC configuration
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Apr 10 14:06:24 EDT 2012
Based on recent discussion here:
http://mailman.mit.edu/pipermail/krbdev/2012-April/010722.html
it would probably not be a good idea to assume that the first-listed KDC
is the master, especially while there is no protection against contacting
the same KDC a second time during the fallback to master. We don't want
to do fallback in situations where it isn't desired; otherwise we can
cause extra account lockout strikes against a user who enters the wrong
password.
A more appropriate change would be to check if there are "kdc" values in
the profile realm configuration, and if so, not check DNS for a _master-
kdc record when looking for masters.
More information about the krb5-bugs
mailing list