[krbdev.mit.edu #7721] [Comment] master_kdc is resolved sooner than necessary
Greg Hudson via RT
rt-comment at kerborg-prod-app-1.mit.edu
Sun Apr 23 15:54:07 EDT 2023
http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=7721
This is a comment. It is not sent to the Requestor(s):
The fourth candidate fails because we cannot (without major changes) rewind
the initial creds state to the point of prior KDC requests.
The third candidate could be perhaps improved by having krb5_sendto_kdc()
append to a history of servers used; the servers could then be checked in one
function call making fewer DNS queries (one query per realm contacted during
the exchange). A side note: what we really want to check for is not "are all
these servers primary" but "are any of these servers replicas". If a realm
does not have a primary KDC, we want to treat all of its KDCs like primary
KDCs for the purpose of deciding whether to fall back.
More information about the krb5-bugs
mailing list